feat: jans linux setup openbanking CLI and certificate automation (#1472

) * fix: jans-linux-setup openbanking CLI fixes * fix: jans-linux-setup openbanking attribute,grant-types * fix: jans-cli jans-linux-setup fixes for openbanking * fix: jans-linux-setup ob fixes * fix: jans-linux-setup move ob test key to static folder * feat: jans-linux-setup ob MTLS configuration * feat: jans-linux-setup download ob cert from jwksUri * feat: jans-linux-setup log downloading cert * fix: jans-linux-setup code smells
JanssenProject · May 30, 2022 · 62b5868 · 62b5868
1 parent 8149133
commit 62b5868
Show file tree

Hide file tree

Showing 19 changed files with 379 additions and 107 deletions.
diff --git a/jans-linux-setup/jans_setup/install.py b/jans-linux-setup/jans_setup/install.py
@@ -88,6 +88,7 @@ def check_installation():
 
 def profile_setup():
     print("Preparing Setup for profile {}".format(argsp.profile))
+
     profile_dir = os.path.join(argsp.setup_dir, argsp.profile)
     replace_dirs = []
     if not os.path.exists(profile_dir):
@@ -123,6 +124,8 @@ def profile_setup():
                 print("Copying", source_file, target_dir)
                 shutil.copy(source_file, target_dir)
 
+
+
 def extract_setup():
     if os.path.exists(argsp.setup_dir):
         shutil.move(argsp.setup_dir, argsp.setup_dir + bacup_ext)

diff --git a/jans-linux-setup/jans_setup/jans_setup.py b/jans-linux-setup/jans_setup/jans_setup.py
@@ -351,7 +351,6 @@ def do_installation():
                     Config.ldapTrustStoreFn = Config.opendj_p12_fn
                     Config.encoded_ldapTrustStorePass = Config.encoded_opendj_p12_pass
 
-                jansInstaller.prepare_base64_extension_scripts()
                 jansInstaller.render_templates()
                 jansInstaller.render_configuration_template()
 
@@ -446,7 +445,13 @@ def do_installation():
         if Config.install_config_api or Config.install_scim_server:
             msg.installation_completed += "CLI available to manage Jannsen Server:\n"
             if Config.install_config_api:
-                msg.installation_completed += "/opt/jans/jans-cli/config-cli.py\n"
+                msg.installation_completed += "/opt/jans/jans-cli/config-cli.py"
+                if base.current_app.profile == static.SetupProfiles.OPENBANKING:
+                    ca_dir = os.path.join(Config.output_dir, 'CA')
+                    crt_fn = os.path.join(ca_dir, 'client.crt')
+                    key_fn = os.path.join(ca_dir, 'client.key')
+                    msg.installation_completed += ' -CC {} -CK {}'.format(crt_fn, key_fn)
+                msg.installation_completed +="\n"
             if  Config.profile == 'jans' and Config.install_scim_server:
                 msg.installation_completed += "/opt/jans/jans-cli/scim-cli.py"
 

diff --git a/jans-linux-setup/jans_setup/openbanking/.borrows b/jans-linux-setup/jans_setup/openbanking/.borrows
@@ -0,0 +1 @@
+jans_setup/static/extension/introspection/introspection_role_based_scope.py
diff --git a/jans-linux-setup/jans_setup/openbanking/static/ob-gluu-test.key b/jans-linux-setup/jans_setup/openbanking/static/ob-gluu-test.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCdTYepO49LgdCs
+iunlHlFjInS/uODFX+rW3N+XNNpyAGFL5/rwvUqoJkMnfo28WTGLYHKTw3u2A8qB
+6bd8OaWJM/ztw/Eu7o+JCeNN9ldJyKkqkzCz13psxJCiKpygrZLyzn1NyNsFGIKl
+V7GIUZg6mK8LwxuIEiEfqKvGNiu9iy33pcSvAVQAZR+J75FVC8hXQcnZkXO2srah
+Rm1+rdvE9C5gbDfkcRvzE+Rdmhe9Er43hpckxWcnHGffaP4hRy8Y3dhRFRCHKKn3
+MjOEsZzUrFRwjAReuRJo6AZ2Mq+j/OEEYWvGci01jdPVdP7TdASoWZXP+BF66VeK
+MO1ilPSXAgMBAAECggEAAcy9Hx4RKyYpQDgh/0mZWR7aosZCPW/grM7/zefrEeqC
+3SP31ouhOuBJMhP8GioTwN+nH/KuISx/mNHsPq3IK5Qz3M06SV+ttmiDDcV3molY
+X3t/T1Iep/eYcgqLxTjchA5XF63od5v1WV/x+43MxerbodunHnzv8mqdyy7xJteC
+umAlhE+UpKEfS+sVDjzd+lwswx9OPCLZzOxAVEgYiZikXcRCR1liaZKW1dY4jzjD
+a+T2og85fpUZklIdQ2xmWjLN8d15bpatKAu5+Ijoq7LSCyNVroXuNqjsKW2zVyu7
+DQJRFEQ7EAmv1SxpJhMaLjNV/ou8VClXTZOhJv6IcQKBgQDKKFWtzBWOU3b4xdP9
+8DLKgHDVNVUNJFufiXOm8aiPl9b7J7D0A0rCWbmYHsPERfhFA9/dPY0qTVL+gzGA
+V/p0gvMmnEIOFw48n1kIfnCt0bE8Ms8HPdcJ+y064nhm491Krao+ZEvSfJezREkM
+J+vVeo8Nyu1szG7mU1ypf7lC0QKBgQDHMuBfG+ctyl8gUoRIkq4Dn1eK/N2JpJOK
+kRAWFoU3kbYqCOQ4Ac//e07kXldqBJBwNuCHXehxfl7lbsKWPbiw0mgOZd9emM7H
+OobwjeQdLdSpEdoR8i9zts08PG5JIsQvQ96UdecU0AkBfVf+VwEgc6ke2WBhO0Bq
+L71QBVWK5wKBgQCjKvUkx2Hqs8GGQB7AizxjqFHqNRbF+b+eQFJBwDHeXJ8frsSr
+33Ba+BLODp7Sb+tYwSzSpNio+Spw1TGCNwCnQ/6//kVum/tYwQEa0vtdwK++OABU
+BvznSH4UVjD6UxcNLKkJnOh6JyhGgGo5TouSjk6iwlTqiQNGEqjrAnVk0QKBgQCI
+naD6ObXUVs3k6hLlfwuvWlH89a2un9u8lf61V16oHNwVeiGjM8MGUfhqcTV8dYLm
+IwzcahBn/iZxLgRwbAZF5xgMf9uxEhYG12ICix3e0TbfeWnZEwNuVfnuDPgKWri4
+PdDievYv9PmoNuHpgpw4OHrNuIH8TVnBOdqZjf78EwKBgEHgsp4OLISHMOhSek/j
+wK2bYLCJ2gDveyF03VUCIMHOKjLGxB+RdjRTaL9D0cxQa2MLMyDwox2+S7AHNDpN
+KViApNjCjWzq6OKcwq98mMlSelWrjZPB2j3hXEvrEoI6+1Li0fIYRMP0m6wKUfiZ
+gOmC/q0WZPsS6s0r3U0hQqa1
+-----END PRIVATE KEY-----
diff --git a/jans-linux-setup/jans_setup/openbanking/templates/apache/https_jans.conf b/jans-linux-setup/jans_setup/openbanking/templates/apache/https_jans.conf
@@ -1,16 +1,16 @@
 <VirtualHost  *:80>
-    ServerName bank.gluu.org
-    Redirect  / https://bank.gluu.org/
+    ServerName %(hostname)s
+    Redirect  / https://%(hostname)s/
     DocumentRoot "/var/www/html/"
 
     RewriteEngine on
-    RewriteCond %{SERVER_NAME} =bank.gluu.org
+    RewriteCond %{SERVER_NAME} =%(hostname)s
     RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
 </VirtualHost>
 
 <VirtualHost *:443>
     DocumentRoot "/var/www/html/"
-    ServerName bank.gluu.org:443
+    ServerName %(hostname)s:443
 
 
     SSLOptions +StdEnvVars
@@ -26,15 +26,15 @@
     SSLProtocol -all +TLSv1.2
     SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
     SSLHonorCipherOrder On
-    SSLCertificateFile /etc/certs/httpd.crt
-    SSLCertificateKeyFile /etc/certs/httpd.key
+    SSLCertificateFile /etc/certs/ob/server.crt
+    SSLCertificateKeyFile /etc/certs/ob/server.key
 
-    #SSLCertificateFile /etc/letsencrypt/live/bank.gluu.org/fullchain.pem
-    #SSLCertificateKeyFile /etc/letsencrypt/live/bank.gluu.org/privkey.pem
+    #SSLCertificateFile /etc/letsencrypt/live/%(hostname)s/fullchain.pem
+    #SSLCertificateKeyFile /etc/letsencrypt/live/%(hostname)s/privkey.pem
     #Include /etc/letsencrypt/options-ssl-apache.conf
 
     #following lines for OB trusted certs and revoked certs
-    #SSLCACertificateFile /etc/apache2/certs/matls.pem
+    SSLCACertificateFile /etc/certs/ob/ca.crt
     #SSLCARevocationFile revoked.pem 
     #SSLCARevocationCheck chain no_crl_for_cert_ok
     #SSLCARevocationPath /etc/apache2/certs/revoke/
@@ -49,7 +49,7 @@
     # Header always append X-Frame-Options SAMEORIGIN
     Header always set X-Xss-Protection "1; mode=block"
     Header always set X-Content-Type-Options nosniff
-    # Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://bank.gluu.org"
+    # Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://%(hostname)s"
     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
 
     Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
@@ -143,8 +143,6 @@
         Allow from all
     </Location>
 
-
-
     <Location /jans-auth/restv1/token>
         SSLVerifyClient require
         SSLVerifyDepth 10
@@ -161,6 +159,48 @@
         Allow from all
     </Location>
 
+    <Location /jans-auth/restv1/device_authorization>
+        ProxyPass http://localhost:8081/jans-auth/restv1/device_authorization
+        Order deny,allow
+        Allow from all
+    </Location>
+
+    <Location /jans-auth/device_authorization.htm>
+        ProxyPass http://localhost:8081/jans-auth/device_authorization.htm
+        Order deny,allow
+        Allow from all
+    </Location>
+
+    <Location /jans-auth/js>
+        ProxyPass http://localhost:8081/jans-auth/js
+        Order deny,allow
+        Allow from all
+    </Location>
+
+    <Location /jans-auth/stylesheet>
+        ProxyPass http://localhost:8081/jans-auth/stylesheet
+        Order deny,allow
+        Allow from all
+    </Location>
+
+    <Location /jans-auth/servlet>
+        ProxyPass http://localhost:8081/jans-auth/servlet
+        Order deny,allow
+        Allow from all
+    </Location>
+
+    <Location /jans-auth/restv1/userinfo>
+        ProxyPass http://localhost:8081/jans-auth/restv1/userinfo
+        Order deny,allow
+        Allow from all
+    </Location>
+
+    <Location /jans-auth/jakarta.faces.resource>
+        ProxyPass http://localhost:8081/jans-auth/jakarta.faces.resource
+        Order deny,allow
+        Allow from all
+    </Location>
+
     <Location /fapi-rs>
         SSLVerifyClient optional_no_ca
         SSLVerifyDepth 10

diff --git a/jans-linux-setup/jans_setup/openbanking/templates/attributes.ldif b/jans-linux-setup/jans_setup/openbanking/templates/attributes.ldif
@@ -1253,3 +1253,24 @@ objectClass: top
 objectClass: jansAttr
 urn: urn:mace:dir:attribute-def:jansBackchannelUsrCode
 
+dn: inum=4CF1,ou=attributes,o=jans
+description: jansAdminUIRole
+displayName: jansAdminUIRole
+inum: 4CF1
+jansAttrEditTyp: admin
+jansAttrEditTyp: user
+jansAttrName: jansAdminUIRole
+jansAttrOrigin: jansCustomPerson
+jansAttrSystemEditTyp: admin
+jansAttrSystemEditTyp: user
+jansAttrTyp: string
+jansAttrViewTyp: admin
+jansAttrViewTyp: user
+jansClaimName: jansAdminUIRole
+jansMultivaluedAttr: true
+jansSAML1URI: urn:mace:dir:attribute-def:jansAdminUIRole
+jansSAML2URI: urn:mace:dir:attribute-def:jansAdminUIRole
+jansStatus: active
+objectClass: top
+objectClass: jansAttr
+urn: sampleurn
diff --git a/jans-linux-setup/jans_setup/openbanking/templates/jans-auth/jans-auth-config.json b/jans-linux-setup/jans_setup/openbanking/templates/jans-auth/jans-auth-config.json
@@ -8,7 +8,7 @@
     "clientInfoEndpoint":"https://%(hostname)s/jans-auth/restv1/clientinfo",
     "checkSessionIFrame":"https://%(hostname)s/jans-auth/opiframe.htm",
     "endSessionEndpoint":"https://%(hostname)s/jans-auth/restv1/end_session",
-    "jwksUri":"%(jwksUri)s",
+    "jwksUri":"%(jwks_uri)s",
     "registrationEndpoint":"https://%(hostname)s/jans-auth/restv1/register",
     "openIdDiscoveryEndpoint":"https://%(hostname)s/.well-known/webfinger",
     "openIdConfigurationEndpoint":"https://%(hostname)s/.well-known/openid-configuration",
@@ -67,7 +67,8 @@
     "grantTypesSupported":[
         "client_credentials",
         "authorization_code",
-        "refresh_token"
+        "refresh_token",
+        "urn:ietf:params:oauth:grant-type:device_code"
     ],
     "allowIdTokenWithoutImplicitGrantType": true,
     "subjectTypesSupported":[
@@ -359,7 +360,7 @@
     "deviceAuthzRequestExpiresIn": 1800,
     "deviceAuthzTokenPollInterval": 5,
     "deviceAuthzResponseTypeToProcessAuthz": "code",
-    "staticKid": "%(staticKid)s",
+    "staticKid": "%(static_kid)s",
     "forceOfflineAccessScopeToEnableRefreshToken" : false,
     "redirectUrisRegexEnabled": false,
     "useHighestLevelScriptIfAcrScriptNotFound": true

diff --git a/jans-linux-setup/jans_setup/openbanking/templates/scopes.ldif b/jans-linux-setup/jans_setup/openbanking/templates/scopes.ldif
@@ -42,3 +42,63 @@ jansScopeTyp: openid
 objectClass: top
 objectClass: jansScope
 
+dn: inum=C4F7,ou=scopes,o=jans
+jansId: jans_stat
+inum: C4F7
+description: This scope is required for calling Statistic Endpoint
+jansDefScope: false
+jansAttrs: {"spontaneousClientId":"","spontaneousClientScopes":[],"showInConfigurationEndpoint":false}
+jansScopeTyp: openid
+objectClass: top
+objectClass: jansScope
+
+dn: inum=C4F6,ou=scopes,o=jans
+description: This scope value requests that an OAuth 2.0 Refresh Token be issued.
+displayName: refresh_token
+inum: C4F6
+jansAttrs: {"spontaneousClientId":"","spontaneousClientScopes":[],"showInConfigurationEndpoint":true}
+jansDefScope: true
+jansId: offline_access
+jansScopeTyp: openid
+objectClass: top
+objectClass: jansScope
+
+dn: inum=43F1,ou=scopes,o=jans
+description: View your basic profile info.
+displayName: view_profile
+inum: 43F1
+jansAttrs: {"spontaneousClientId":"","spontaneousClientScopes":[],"showInConfigurationEndpoint":true}
+jansClaim: inum=2B29,ou=attributes,o=jans
+jansClaim: inum=0C85,ou=attributes,o=jans
+jansClaim: inum=B4B0,ou=attributes,o=jans
+jansClaim: inum=A0E8,ou=attributes,o=jans
+jansClaim: inum=5EC6,ou=attributes,o=jans
+jansClaim: inum=B52A,ou=attributes,o=jans
+jansClaim: inum=64A0,ou=attributes,o=jans
+jansClaim: inum=EC3A,ou=attributes,o=jans
+jansClaim: inum=3B47,ou=attributes,o=jans
+jansClaim: inum=3692,ou=attributes,o=jans
+jansClaim: inum=98FC,ou=attributes,o=jans
+jansClaim: inum=A901,ou=attributes,o=jans
+jansClaim: inum=36D9,ou=attributes,o=jans
+jansClaim: inum=BE64,ou=attributes,o=jans
+jansClaim: inum=6493,ou=attributes,o=jans
+jansClaim: inum=4CF1,ou=attributes,o=jans
+jansDefScope: false
+jansId: profile
+jansScopeTyp: openid
+objectClass: top
+objectClass: jansScope
+
+dn: inum=764C,ou=scopes,o=jans
+description: View your email address.
+displayName: view_email_address
+inum: 764C
+jansAttrs: {"spontaneousClientId":"","spontaneousClientScopes":[],"showInConfigurationEndpoint":true}
+jansClaim: inum=8F88,ou=attributes,o=jans
+jansClaim: inum=CAE3,ou=attributes,o=jans
+jansDefScope: false
+jansId: email
+jansScopeTyp: openid
+objectClass: top
+objectClass: jansScope
diff --git a/jans-linux-setup/jans_setup/openbanking/templates/scripts.ldif b/jans-linux-setup/jans_setup/openbanking/templates/scripts.ldif
@@ -4,7 +4,7 @@ displayName: urn:openbanking:psd2:sca
 inum: A51E-76DA
 jansConfProperty: {"value1":"redirect_url","value2":"https://bank-op.gluu.org/oxauth/authorize.htm?scope=openid+profile+email+user_name&acr_values=basic&response_type=code&redirect_uri=https%3A%2F%2Fbank.gluu.org%2Fjans-auth%2Fpostlogin.htm&nonce=72fc1a52-25a7-4293-929d-b61b8a05c9c4&client_id=0c76f3bb-b6de-49c4-8dff-f53d7b768f96 ","description":""}
 jansConfProperty: {"value1":"tpp_jwks_url","value2":"https://keystore.openbankingtest.org.uk/0014H00001lFE7dQAG/0014H00001lFE7dQAG.jwks","description":""}
-jansEnabled: 1
+jansEnabled: %(enable_ob_auth_script)s
 jansLevel: 10
 jansModuleProperty: {"value1":"usage_type","value2":"interactive","description":""}
 jansModuleProperty: {"value1":"location_type","value2":"ldap","description":""}
@@ -72,3 +72,16 @@ jansScrTyp: introspection
 objectClass: top
 objectClass: jansCustomScr
 
+dn: inum=A44E-4F3D,ou=scripts,o=jans
+objectClass: top
+objectClass: jansCustomScr
+description: Role Based Scopes
+displayName: role_based_scopes
+inum: A44E-4F3D
+jansEnabled: true
+jansLevel: 1
+jansModuleProperty: {"value1":"location_type","value2":"ldap","description":""}
+jansProgLng: python
+jansRevision: 1
+jansScr::%(introspection_introspection_role_based_scope)s
+jansScrTyp: introspection
diff --git a/jans-linux-setup/jans_setup/setup_app/config.py b/jans-linux-setup/jans_setup/setup_app/config.py
@@ -139,9 +139,11 @@ def progress(self, service_name, msg, incr=False):
 
         if self.profile == OPENBANKING_PROFILE:
             self.use_external_key = True
-            self.ob_key_fn = '/root/obsigning-axV5umCvTMBMjPwjFQgEvb_NO_UPLOAD.key'
-            self.ob_cert_fn = '/root/obsigning.pem'
-            self.ob_alias = 'GkwIzWy88xWSlcWnLiEc8ip9s2M'
+            self.ob_key_fn = ''
+            self.ob_cert_fn = ''
+            self.ob_alias = ''
+            self.static_kid = ''
+            self.jwks_uri = ''
 
         # Component ithversions
         self.apache_version = None
@@ -398,7 +400,7 @@ def progress(self, service_name, msg, incr=False):
 
         if self.profile == OPENBANKING_PROFILE:
             #default locations are rdbm
-            self.mapping_locations = {'default': 'rdbm'}
+            self.mapping_locations = { group: 'rdbm' for group in self.couchbaseBucketDict }
         else:
             #default locations are OpenDJ
             self.mapping_locations = { group: 'ldap' for group in self.couchbaseBucketDict }

diff --git a/jans-linux-setup/jans_setup/setup_app/installers/httpd.py b/jans-linux-setup/jans_setup/setup_app/installers/httpd.py
@@ -4,7 +4,7 @@
 
 from setup_app import paths
 from setup_app.utils import base
-from setup_app.static import AppType, InstallOption
+from setup_app.static import AppType, InstallOption, SetupProfiles
 from setup_app.config import Config
 from setup_app.utils.setup_utils import SetupUtils
 from setup_app.installers.base import BaseInstaller
@@ -162,8 +162,11 @@ def configure(self):
             Config.httpdKeyPass = self.getPW()
 
 
-        # generate httpd self signed certificate
-        self.gen_cert('httpd', Config.httpdKeyPass, 'jetty')
+        if Config.profile == SetupProfiles.OPENBANKING:
+            self.ob_mtls_config()
+        else:
+            # generate httpd self signed certificate
+            self.gen_cert('httpd', Config.httpdKeyPass, 'jetty')
 
         self.enable()
         self.start()
@@ -190,5 +193,20 @@ def write_httpd_config(self):
             self.run([paths.cmd_ln, '-s', self.https_jans_fn,
                       '/etc/apache2/sites-enabled/https_jans.conf'])
 
+    def ob_mtls_config(self):
+
+        ca_key_fn, ca_crt_fn = self.gen_ca()
+        server_key_fn, server_csr_fn, server_crt_fn = self.gen_key_cert_from_ca(fn_suffix='server')
+        ob_certs_dir = os.path.join(Config.certFolder, 'ob')
+        self.run([paths.cmd_mkdir, '-p', ob_certs_dir])
+        self.copyFile(ca_crt_fn, ob_certs_dir)
+        self.copyFile(server_key_fn, ob_certs_dir)
+        self.copyFile(server_crt_fn, ob_certs_dir)
+
+        # create client cert
+        cn = 'cli.' + Config.hostname
+        self.gen_key_cert_from_ca(fn_suffix='client', cn=cn)
+
+
     def installed(self):
         return os.path.exists(self.https_jans_fn)