Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Jans linux setup refactor #1328

Merged
merged 3 commits into from
May 12, 2022
Merged

feat: Jans linux setup refactor #1328

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e560502
refactor: jans-linux-setup use python libs to get ssl certificate
devrimyatar May 12, 2022
bc80184
refactor: jans-linux-setup use python libs to decode cert
devrimyatar May 12, 2022
3bda448
refactor: jans-linux-setup collecting properties
devrimyatar May 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions jans-linux-setup/jans_setup/setup_app/installers/jans_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import uuid
import shutil
import json
import tempfile

from urllib.parse import urlparse

Expand Down Expand Up @@ -159,17 +160,16 @@ def import_openbanking_certificate(self):
jwksUri = oxauth_config_json['jwksUri']
o = urlparse(jwksUri)
jwks_addr = o.netloc
ssl_cmd = shutil.which('openssl')
random_crt_fn = os.path.join(self.output_folder, '{}.crt'.format(os.urandom(3).hex()))
cmd = "echo -n | {} s_client -connect {}:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > {}".format(ssl_cmd, jwks_addr, random_crt_fn)
self.run(cmd, shell=True)
open_banking_cert = self.get_server_certificate(jwks_addr)
alias = jwks_addr.replace('.', '_')

self.run([Config.cmd_keytool, '-import', '-trustcacerts', '-keystore',
Config.defaultTrustStoreFN, '-storepass', 'changeit',
'-noprompt', '-alias', alias, '-file', random_crt_fn])
with tempfile.TemporaryDirectory() as tmp_dir:
tmp_fn = os.path.join(tmp_dir, jwks_addr+'.crt')
self.writeFile(tmp_fn, open_banking_cert)
self.run([Config.cmd_keytool, '-import', '-trustcacerts', '-keystore',
Config.defaultTrustStoreFN, '-storepass', 'changeit',
'-noprompt', '-alias', alias, '-file', tmp_fn])

#os.remove(random_crt_fn)

def import_openbanking_key(self):
if os.path.isfile(Config.ob_key_fn) and os.path.isfile(Config.ob_cert_fn):
Expand Down
21 changes: 5 additions & 16 deletions jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,10 +196,10 @@ def collect(self):

ssl_subj = self.get_ssl_subject('/etc/certs/httpd.crt')

Config.countryCode = ssl_subj['C']
Config.state = ssl_subj['ST']
Config.city = ssl_subj['L']
Config.city = ssl_subj['L']
Config.countryCode = ssl_subj.get('countryName', '')
Config.state = ssl_subj.get('stateOrProvinceName', '')
Config.city = ssl_subj.get('localityName', '')
Config.admin_email = ssl_subj.get('emailAddress', '')

#this is not good, but there is no way to retreive password from ldap
if not Config.get('admin_password'):
Expand All @@ -209,11 +209,7 @@ def collect(self):
Config.admin_password = Config.cb_password

if not Config.get('orgName'):
Config.orgName = ssl_subj['O']

#for service in jetty_services:
# setup_prop[jetty_services[service][0]] = os.path.exists('/opt/jans/jetty/{0}/webapps/{0}.war'.format(service))

Config.orgName = ssl_subj.get('organizationName', '')

for s in ['jansScimEnabled']:
setattr(Config, s, oxConfiguration.get(s, False))
Expand Down Expand Up @@ -252,13 +248,6 @@ def collect(self):
Config.installEleven = os.path.exists(os.path.join(Config.jetty_base, 'jans-eleven/start.ini'))
Config.install_config_api = os.path.exists(os.path.join(Config.jansOptFolder, 'jans-config-api'))

result = dbUtils.search('ou=people,o=jans', search_filter='(&(uid=admin)(objectClass=jansPerson))')
if result:
Config.admin_inum = result['inum']
if 'mail' in result:
Config.admin_email = result['mail']


def save(self):
if os.path.exists(Config.setup_properties_fn):
self.backupFile(Config.setup_properties_fn)
Expand Down
21 changes: 13 additions & 8 deletions jans-linux-setup/jans_setup/setup_app/utils/crypto64.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
import re
import base64
import json
import socket
import ssl

from collections import OrderedDict
from pathlib import Path
Expand All @@ -15,15 +17,10 @@
class Crypto64:

def get_ssl_subject(self, ssl_fn):
cert_info = ssl._ssl._test_decode_cert(ssl_fn)
retDict = {}
cmd = paths.cmd_openssl + ' x509 -noout -subject -nameopt RFC2253 -in {}'.format(ssl_fn)
s = self.run(cmd, shell=True)
s = s.strip() + ','

for k in ('emailAddress', 'CN', 'O', 'L', 'ST', 'C'):
rex = re.search('{}=(.*?),'.format(k), s)
retDict[k] = rex.groups()[0] if rex else ''

for subj in cert_info["subject"]:
retDict[subj[0][0]] = subj[0][1]
return retDict

def obscure(self, data=""):
Expand Down Expand Up @@ -327,3 +324,11 @@ def encode_test_passwords(self):
Config.templateRenderingDict['oxauthClient_4_encoded_pw'] = self.obscure(Config.templateRenderingDict['oxauthClient_4_pw'])
except:
self.logIt("Error encoding test passwords", True)

def get_server_certificate(self, host):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
context = ssl.SSLContext()
ssl_sock = context.wrap_socket(sock, server_hostname=host)
ssl_sock.connect((host, 443))
cert_der = ssl_sock.getpeercert(True)
return ssl.DER_cert_to_PEM_cert(cert_der)
2 changes: 1 addition & 1 deletion jans-linux-setup/jans_setup/setup_app/utils/properties_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,7 +455,7 @@ def check_oxd_ssl_cert(self, oxd_hostname, oxd_port):
self.writeFile(oxd_crt_fn, oxd_cert)
ssl_subjects = self.get_ssl_subject(oxd_crt_fn)

if ssl_subjects['CN'] != oxd_hostname:
if ssl_subjects.get('commonName') != oxd_hostname:
return ssl_subjects


Expand Down