fix(cloud-native): add missing jans-lock policy (#12402) · JanssenProject/jans@7c3f0b6 (original) (raw)

`@@ -2,14 +2,19 @@

`

2

2

`import contextlib

`

3

3

`import json

`

4

4

`import logging.config

`

``

5

`+

import pathlib

`

5

6

`import os

`

6

7

`from collections import namedtuple

`

``

8

`+

from datetime import datetime

`

``

9

`+

from datetime import UTC

`

7

10

``

8

11

`from jans.pycloudlib import get_manager

`

9

12

`from jans.pycloudlib.persistence.sql import SqlClient

`

10

13

`from jans.pycloudlib.persistence.sql import doc_id_from_dn

`

11

14

`from jans.pycloudlib.persistence.utils import PersistenceMapper

`

12

15

`from jans.pycloudlib.utils import as_boolean

`

``

16

`+

from jans.pycloudlib.utils import get_random_chars

`

``

17

`+

from jans.pycloudlib.utils import generate_base64_contents

`

13

18

``

14

19

`from settings import LOGGING_CONFIG

`

15

20

`from utils import parse_lock_swagger_file

`

`@@ -56,22 +61,25 @@ def _transform_lock_dynamic_config(conf, manager):

`

56

61

` ],

`

57

62

` }),

`

58

63

` ("statEnabled", True),

`

59

``

`-

("messageConsumerType", "DISABLED"),

`

60

``

`-

("policyConsumerType", "DISABLED"),

`

``

64

`+

("protectionMode", "CEDARLING"),

`

``

65

`+

("cedarlingConfiguration", {

`

``

66

`+

"enabled": True,

`

``

67

`+

"policySources": [

`

``

68

`+

{

`

``

69

`+

"enabled": False,

`

``

70

`+

"authorizationToken": "",

`

``

71

`+

"policyStoreUri": ""

`

``

72

`+

}

`

``

73

`+

],

`

``

74

`+

"logType": "STD_OUT",

`

``

75

`+

"logLevel": "INFO",

`

``

76

`+

"externalPolicyStoreUri": ""

`

``

77

`+

}),

`

61

78

` ]:

`

62

79

`if missing_key not in conf:

`

63

80

`conf[missing_key] = value

`

64

81

`should_update = True

`

65

82

``

66

``

`-

channel rename

`

67

``

`-

if "jans_token" not in conf["tokenChannels"]:

`

68

``

`-

conf["tokenChannels"].append("jans_token")

`

69

``

-

70

``

`-

remove old channel

`

71

``

`-

with contextlib.suppress(ValueError):

`

72

``

`-

conf["tokenChannels"].remove("id_token")

`

73

``

`-

should_update = True

`

74

``

-

75

83

`# base endpoint is changed from jans-lock to jans-auth

`

76

84

`if conf["baseEndpoint"] != f"https://{hostname}/jans-auth/api/v1":

`

77

85

`conf["baseEndpoint"] = f"https://{hostname}/jans-auth/api/v1"

`

`@@ -149,6 +157,7 @@ def invoke(self):

`

149

157

`self.update_lock_client_scopes()

`

150

158

`self.update_lock_error_config()

`

151

159

`self.update_lock_static_config()

`

``

160

`+

self.update_lock_policy_config()

`

152

161

``

153

162

`def update_lock_dynamic_config(self):

`

154

163

`kwargs = {"table_name": "jansAppConf"}

`

`@@ -259,6 +268,49 @@ def update_lock_static_config(self):

`

259

268

`entry.attrs["jansRevision"] += 1

`

260

269

`self.backend.modify_entry(entry.id, entry.attrs, **kwargs)

`

261

270

``

``

271

`+

def update_lock_policy_config(self):

`

``

272

`+

kwargs = {"table_name": "jansAppConf"}

`

``

273

`+

id_ = doc_id_from_dn("ou=jans-lock,ou=configuration,o=jans")

`

``

274

+

``

275

`+

entry = self.backend.get_entry(id_, **kwargs)

`

``

276

+

``

277

`+

if not entry:

`

``

278

`+

return

`

``

279

+

``

280

`+

try:

`

``

281

`+

entry.attrs["jansConfPolicy"] = json.loads(entry.attrs["jansConfPolicy"])

`

``

282

`+

should_update = False

`

``

283

`+

except json.decoder.JSONDecodeError:

`

``

284

`+

should_update = True

`

``

285

`+

entry.attrs["jansConfPolicy"] = {}

`

``

286

+

``

287

`+

policy is not empty, skip the process

`

``

288

`+

if not should_update:

`

``

289

`+

return

`

``

290

+

``

291

`+

with open("/app/templates/jans-lock/policy_conf_tmp.json") as f:

`

``

292

`+

ctx = {

`

``

293

`+

"policy_store_id": get_random_chars(22),

`

``

294

`+

"local_trusted_issuer_id": os.urandom(22).hex(),

`

``

295

`+

"hostname": self.manager.config.get("hostname"),

`

``

296

`+

}

`

``

297

`+

policy_mapping = json.loads(f.read() % ctx)

`

``

298

+

``

299

`+

for plc in pathlib.Path("/app/templates/jans-lock/policy").rglob("*.json"):

`

``

300

`+

plc_id = os.urandom(22).hex()

`

``

301

`+

policy_mapping["policy_stores"][ctx["policy_store_id"]]["policies"][plc_id] = {

`

``

302

`+

"description": f"Policy for {plc.stem}",

`

``

303

`+

"creation_date": datetime.now(UTC).isoformat(),

`

``

304

`+

"policy_content": generate_base64_contents(plc.read_text())

`

``

305

`+

}

`

``

306

+

``

307

`+

with open("/app/templates/jans-lock/cedarling_core.json") as f:

`

``

308

`+

policy_mapping["policy_stores"][ctx["policy_store_id"]]["schema"] = generate_base64_contents(f.read())

`

``

309

+

``

310

`+

entry.attrs["jansConfPolicy"] = json.dumps(policy_mapping)

`

``

311

`+

entry.attrs["jansRevision"] += 1

`

``

312

`+

self.backend.modify_entry(entry.id, entry.attrs, **kwargs)

`

``

313

+

262

314

``

263

315

`def main(): # noqa: D103

`

264

316

`manager = get_manager()

`