feat(jans-pycloudlib): add low-level support for SSL persistence connection by iromli · Pull Request #12194 · JanssenProject/jans (original) (raw)
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply diff --git a/jans-pycloudlib/jans/pycloudlib/persistence/sql.py b/jans-pycloudlib/jans/pycloudlib/persistence/sql.py --- a/jans-pycloudlib/jans/pycloudlib/persistence/sql.py +++ b/jans-pycloudlib/jans/pycloudlib/persistence/sql.py @@ -8,6 +8,7 @@ import re import typing as _t import warnings +from cryptography.fernet import Fernet from collections import defaultdict from collections.abc import Callable from functools import cached_property @@ -277,6 +278,7 @@
def __init__(self, manager: Manager, *args: _t.Any, **kwargs: _t.Any) -> None:
self.manager = managerself._fernet = None # will be initialized if needed dialect = os.environ.get("CN_SQL_DB_DIALECT", "mysql") if dialect in ("pgsql", "postgresql"):
@@ -291,6 +293,14 @@ if as_boolean(os.environ.get("CN_SQL_SSL_ENABLED", "false")): self._bootstrap_ssl_assets()
- def _get_fernet(self):
if self._fernet is None:key = os.environ.get("CN_SQL_SSL_SECRET_KEY")if not key:raise RuntimeError("CN_SQL_SSL_SECRET_KEY environment variable not set for SSL secret encryption")self._fernet = Fernet(key.encode())return self._fernetdef _bootstrap_ssl_assets(self): for filepath, secret_name in [ (os.environ.get("CN_SQL_SSL_CACERT_FILE", "/etc/certs/sql_cacert.pem"), "sql_ssl_ca_cert"),
@@ -304,9 +314,13 @@ if filepath and (contents := self.manager.secret.get(secret_name)): logger.info(f"Detected non-empty {secret_name=}. The secret will be populated into {filepath!r}.")
with open(filepath, "w") as f:f.write(contents)
# Encrypt the contents using Fernet before writingfernet = self._get_fernet()encrypted_contents = fernet.encrypt(contents.encode())with open(filepath, "wb") as f:f.write(encrypted_contents)# client key must be protected using 600 permission if secret_name == "sql_ssl_client_key": # noqa: B105 os.chmod(filepath, 0o600)
EOF