From 71e7aa0162ff9ad063d8e6e43ff9954fc10f1dd5 Mon Sep 17 00:00:00 2001 From: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com> Date: Thu, 3 Dec 2020 09:47:15 -0500 Subject: [PATCH] initial changes from gluu to jans (#2) * initial changes from gluu to jans * move oxauth to auth-server * Update release.yaml * switch to jans-auth-server * Change envs prefix from JANS to CLOUD_NATIVE * Change envs prefix to CN * initial working image * sync manifests * update manifests * update jans-pycloudlib * Update scanimage.yml * bump Jython's pip to v19.2 * Add non root user #3 * fix refs #3 * update jans-pycloudlib * copy custom jar from share directory * install latest cryptography * Update war * sync manifests * update dependencies * chore(dockerfile): update build date * docs: update reference in README * feat(build-date): Update build date * feat(build-date): update build date * feat(build-date): update build date * feat(Dockerfile): update build date * fix(healthcheck): update health endpoint * ci(autobuilds): Fix repos and commit settings * ci(autobuilds): Add jans-config-api * feat(Dockerfile): Updated build date Co-authored-by: mogluu <47318409+mogluu@users.noreply.github.com> Co-authored-by: iromli --- .github/workflows/release.yaml | 8 +- .github/workflows/scanimage.yml | 20 ++- .github/workflows/triggerdevbuild.yml | 11 +- Dockerfile | 161 ++++++++++-------- Makefile | 16 +- README.md | 104 +++++------ automation/auto_update_build_date.py | 46 ++--- ..._gluu_creds.json => super_jans_creds.json} | 8 +- ...u_creds.json => vericloud_jans_creds.json} | 0 .../HyperFIDO_CA_Cert_V1.pem | 11 -- .../HyperFIDO_CA_Cert_V2.pem | 12 -- .../authenticator_cert/yubico-u2f-ca-cert.crt | 19 --- conf/fido2/mds_toc_cert/metadata-root-ca.cer | 15 -- conf/gluu.properties.tmpl | 13 -- ...es.tmpl => jans-couchbase.properties.tmpl} | 8 + ...perties.tmpl => jans-ldap.properties.tmpl} | 0 conf/jans.properties.tmpl | 9 + jetty/{oxauth.xml => jans-auth.xml} | 4 +- ...ources.xml => jans-auth_web_resources.xml} | 4 +- libs/casa-external_super_gluu.py | 2 +- requirements.txt | 2 +- scripts/{entrypoint.py => bootstrap.py} | 73 +++----- scripts/entrypoint.sh | 32 ++-- scripts/healthcheck.py | 2 +- scripts/jca_sync.py | 22 +-- scripts/jks_sync.py | 12 +- scripts/mod_context.py | 10 +- scripts/wait.py | 4 +- 28 files changed, 294 insertions(+), 334 deletions(-) rename certs/{super_gluu_creds.json => super_jans_creds.json} (79%) rename certs/{vericloud_gluu_creds.json => vericloud_jans_creds.json} (100%) delete mode 100644 conf/fido2/authenticator_cert/HyperFIDO_CA_Cert_V1.pem delete mode 100644 conf/fido2/authenticator_cert/HyperFIDO_CA_Cert_V2.pem delete mode 100644 conf/fido2/authenticator_cert/yubico-u2f-ca-cert.crt delete mode 100644 conf/fido2/mds_toc_cert/metadata-root-ca.cer delete mode 100644 conf/gluu.properties.tmpl rename conf/{gluu-couchbase.properties.tmpl => jans-couchbase.properties.tmpl} (69%) rename conf/{gluu-ldap.properties.tmpl => jans-ldap.properties.tmpl} (100%) create mode 100644 conf/jans.properties.tmpl rename jetty/{oxauth.xml => jans-auth.xml} (76%) rename jetty/{oxauth_web_resources.xml => jans-auth_web_resources.xml} (73%) rename scripts/{entrypoint.py => bootstrap.py} (54%) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8be1788b..52494491 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,9 +1,8 @@ name: release -# This builds, packages and releases pygluu-kubernetes on: push: paths: - #- __version__.py + - __version__.py branches-ignore: - master jobs: @@ -43,6 +42,7 @@ jobs: echo "::set-output name=pversion::$(python3 -c 'import __version__ ; print(__version__.__previous_version__)')" echo "::set-output name=gituser::$(python3 -c 'import os ; REPO = os.environ.get("GITHUB_REPOSITORY") ; print(str(REPO).split("/")[0])')" echo "::set-output name=gitproject::$(python3 -c 'import os ; REPO = os.environ.get("GITHUB_REPOSITORY") ; print(str(REPO).split("/")[1])')" + echo "::set-output name=gitbranch::$(python3 -c 'import os ; BRANCH = os.environ.get("GITHUB_REF") ; print(str(BRANCH).split("/")[2])')" echo "::set-output name=releasedate::$(date +'%d-%m-%Y')" @@ -50,7 +50,7 @@ jobs: run: | cd /home/runner/work/test/ sudo gem install github_changelog_generator - github_changelog_generator --user ${{ steps.get_version.outputs.gituser }} --project ${{ steps.get_version.outputs.gitproject }} --date-format "%m/%d/%Y" --header-label "# Release Notes" --output release_notes.md --token ${{ secrets.token }} --since-tag ${{ steps.get_version.outputs.pversion }} --author false + github_changelog_generator --user ${{ steps.get_version.outputs.gituser }} --project ${{ steps.get_version.outputs.gitproject }} --date-format "%m/%d/%Y" --header-label "# Release Notes" --output release_notes.md --token ${{ secrets.token }} --include-labels ${{ steps.get_version.outputs.gitbranch }} --since-tag v${{ steps.get_version.outputs.pversion }} --author false sed -i '$ d' release_notes.md github_changelog_generator --user ${{ steps.get_version.outputs.gituser }} --project ${{ steps.get_version.outputs.gitproject }} --date-format "%m/%d/%Y" --token ${{ secrets.token }} --author false sed -i '$ d' CHANGELOG.md @@ -83,4 +83,4 @@ jobs: ${{ steps.changelog.outputs.body }} draft: false - prerelease: false + prerelease: false \ No newline at end of file diff --git a/.github/workflows/scanimage.yml b/.github/workflows/scanimage.yml index 87cf2f5c..223972d3 100644 --- a/.github/workflows/scanimage.yml +++ b/.github/workflows/scanimage.yml @@ -1,19 +1,21 @@ name: Scan Image -on: [workflow_dispatch] +on: [push] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag local/scanimage:latest + - name: Build the Container image + run: docker build . --file Dockerfile --tag localbuild/scanimage:latest - uses: anchore/scan-action@v2 + id: scan with: - image: "local/scanimage:latest" - fail-build: true - - name: anchore inline scan JSON results - run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done + image: "localbuild/scanimage:latest" + acs-report-enable: true + - name: upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif - uses: azure/container-scan@v0 with: - image-name: local/scanimage:latest -# Add Serif report once Code Scanner is out of beta stage + image-name: localbuild/scanimage:latest diff --git a/.github/workflows/triggerdevbuild.yml b/.github/workflows/triggerdevbuild.yml index 3ad2707d..14557afc 100644 --- a/.github/workflows/triggerdevbuild.yml +++ b/.github/workflows/triggerdevbuild.yml @@ -1,5 +1,4 @@ name: triggerdevbuild -# This builds, packages and releases pygluu-kubernetes on: [workflow_dispatch] jobs: checkBuildAndUpdate: @@ -31,13 +30,13 @@ jobs: - uses: stefanzweifel/git-auto-commit-action@v4 with: # Required - commit_message: Updated build date. + commit_message: 'feat(Dockerfile): Updated build date' # Optional local file path to the repository repository: . - + commit-message: 'feat(helm): Update Helm Chart' # Optional commit user and author settings - commit_user_name: git-gluu - commit_user_email: git-gluu@github.com - commit_author: git-gluu + commit_user_name: ${{ github.actor }} + commit_user_email: ${{ github.actor }}@users.noreply.github.com + commit_author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> # Optional: Disable dirty check and always try to create a commit and push skip_dirty_check: true \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index dcfac7be..51369ef6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,7 @@ RUN mkdir -p /usr/lib/jvm/default-jvm /usr/java/latest \ RUN apk update \ && apk add --no-cache openssl py3-pip tini curl bash \ - && apk add --no-cache --virtual build-deps wget git + && apk add --no-cache --virtual build-deps wget git gcc musl-dev python3-dev libffi-dev openssl-dev # ====== # rclone @@ -29,7 +29,7 @@ RUN wget -q https://github.com/rclone/rclone/releases/download/${RCLONE_VERSION} ARG JETTY_VERSION=9.4.26.v20200117 ARG JETTY_HOME=/opt/jetty -ARG JETTY_BASE=/opt/gluu/jetty +ARG JETTY_BASE=/opt/jans/jetty ARG JETTY_USER_HOME_LIB=/home/jetty/lib # Install jetty @@ -47,24 +47,26 @@ EXPOSE 8080 # ====== ARG JYTHON_VERSION=2.7.2 -RUN wget -q https://ox.gluu.org/dist/jython/${JYTHON_VERSION}/jython-installer-${JYTHON_VERSION}.jar -O /tmp/jython-installer.jar \ +RUN wget -q https://repo1.maven.org/maven2/org/python/jython-installer/${JYTHON_VERSION}/jython-installer-${JYTHON_VERSION}.jar -O /tmp/jython-installer.jar \ && mkdir -p /opt/jython \ && java -jar /tmp/jython-installer.jar -v -s -d /opt/jython \ + && /opt/jython/bin/pip install --no-cache-dir "pip==19.2" \ && rm -f /tmp/jython-installer.jar /tmp/*.properties -# ====== -# oxAuth -# ====== +# =========== +# Auth server +# =========== -ENV JANS_VERSION=4.2.2-SNAPSHOT -ENV JANS_BUILD_DATE="2020-09-28 18:23" +ENV CN_VERSION=5.0.0-SNAPSHOT +ENV CN_BUILD_DATE="2020-12-03 07:33" +ENV CN_SOURCE_URL=https://maven.jans.io/maven/io/jans/jans-auth-server/${CN_VERSION}/jans-auth-server-${CN_VERSION}.war # Install oxAuth -RUN wget -q https://ox.gluu.org/maven/org/gluu/oxauth-server/${JANS_VERSION}/oxauth-server-${JANS_VERSION}.war -O /tmp/oxauth.war \ - && mkdir -p ${JETTY_BASE}/oxauth/webapps/oxauth \ - && unzip -qq /tmp/oxauth.war -d ${JETTY_BASE}/oxauth/webapps/oxauth \ - && java -jar ${JETTY_HOME}/start.jar jetty.home=${JETTY_HOME} jetty.base=${JETTY_BASE}/oxauth --add-to-start=server,deploy,annotations,resources,http,http-forwarded,threadpool,jsp,websocket \ - && rm -f /tmp/oxauth.war +RUN wget -q ${CN_SOURCE_URL} -O /tmp/jans-auth.war \ + && mkdir -p ${JETTY_BASE}/jans-auth/webapps/jans-auth \ + && unzip -qq /tmp/jans-auth.war -d ${JETTY_BASE}/jans-auth/webapps/jans-auth \ + && java -jar ${JETTY_HOME}/start.jar jetty.home=${JETTY_HOME} jetty.base=${JETTY_BASE}/jans-auth --add-to-start=server,deploy,annotations,resources,http,http-forwarded,threadpool,jsp,websocket \ + && rm -f /tmp/jans-auth.war # =========== # Custom libs @@ -81,11 +83,10 @@ RUN wget -q https://repo1.maven.org/maven2/org/jsmpp/jsmpp/${JSMPP_VERSION}/jsmp # Python # ====== -RUN apk add --no-cache py3-cryptography py3-multidict py3-yarl COPY requirements.txt /app/requirements.txt RUN pip3 install -U pip \ && pip3 install --no-cache-dir -r /app/requirements.txt \ - && rm -rf /src/pygluu-containerlib/.git + && rm -rf /src/jans-pycloudlib/.git # ======= # Cleanup @@ -105,76 +106,79 @@ COPY LICENSE /licenses/ # Config ENV # ========== -ENV JANS_CONFIG_ADAPTER=consul \ - JANS_CONFIG_CONSUL_HOST=localhost \ - JANS_CONFIG_CONSUL_PORT=8500 \ - JANS_CONFIG_CONSUL_CONSISTENCY=stale \ - JANS_CONFIG_CONSUL_SCHEME=http \ - JANS_CONFIG_CONSUL_VERIFY=false \ - JANS_CONFIG_CONSUL_CACERT_FILE=/etc/certs/consul_ca.crt \ - JANS_CONFIG_CONSUL_CERT_FILE=/etc/certs/consul_client.crt \ - JANS_CONFIG_CONSUL_KEY_FILE=/etc/certs/consul_client.key \ - JANS_CONFIG_CONSUL_TOKEN_FILE=/etc/certs/consul_token \ - JANS_CONFIG_KUBERNETES_NAMESPACE=default \ - JANS_CONFIG_KUBERNETES_CONFIGMAP=gluu \ - JANS_CONFIG_KUBERNETES_USE_KUBE_CONFIG=false +ENV CN_CONFIG_ADAPTER=consul \ + CN_CONFIG_CONSUL_HOST=localhost \ + CN_CONFIG_CONSUL_PORT=8500 \ + CN_CONFIG_CONSUL_CONSISTENCY=stale \ + CN_CONFIG_CONSUL_SCHEME=http \ + CN_CONFIG_CONSUL_VERIFY=false \ + CN_CONFIG_CONSUL_CACERT_FILE=/etc/certs/consul_ca.crt \ + CN_CONFIG_CONSUL_CERT_FILE=/etc/certs/consul_client.crt \ + CN_CONFIG_CONSUL_KEY_FILE=/etc/certs/consul_client.key \ + CN_CONFIG_CONSUL_TOKEN_FILE=/etc/certs/consul_token \ + CN_CONFIG_CONSUL_NAMESPACE=jans \ + CN_CONFIG_KUBERNETES_NAMESPACE=default \ + CN_CONFIG_KUBERNETES_CONFIGMAP=jans \ + CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG=false # ========== # Secret ENV # ========== -ENV JANS_SECRET_ADAPTER=vault \ - JANS_SECRET_VAULT_SCHEME=http \ - JANS_SECRET_VAULT_HOST=localhost \ - JANS_SECRET_VAULT_PORT=8200 \ - JANS_SECRET_VAULT_VERIFY=false \ - JANS_SECRET_VAULT_ROLE_ID_FILE=/etc/certs/vault_role_id \ - JANS_SECRET_VAULT_SECRET_ID_FILE=/etc/certs/vault_secret_id \ - JANS_SECRET_VAULT_CERT_FILE=/etc/certs/vault_client.crt \ - JANS_SECRET_VAULT_KEY_FILE=/etc/certs/vault_client.key \ - JANS_SECRET_VAULT_CACERT_FILE=/etc/certs/vault_ca.crt \ - JANS_SECRET_KUBERNETES_NAMESPACE=default \ - JANS_SECRET_KUBERNETES_SECRET=gluu \ - JANS_SECRET_KUBERNETES_USE_KUBE_CONFIG=false +ENV CN_SECRET_ADAPTER=vault \ + CN_SECRET_VAULT_SCHEME=http \ + CN_SECRET_VAULT_HOST=localhost \ + CN_SECRET_VAULT_PORT=8200 \ + CN_SECRET_VAULT_VERIFY=false \ + CN_SECRET_VAULT_ROLE_ID_FILE=/etc/certs/vault_role_id \ + CN_SECRET_VAULT_SECRET_ID_FILE=/etc/certs/vault_secret_id \ + CN_SECRET_VAULT_CERT_FILE=/etc/certs/vault_client.crt \ + CN_SECRET_VAULT_KEY_FILE=/etc/certs/vault_client.key \ + CN_SECRET_VAULT_CACERT_FILE=/etc/certs/vault_ca.crt \ + CN_SECRET_VAULT_NAMESPACE=jans \ + CN_SECRET_KUBERNETES_NAMESPACE=default \ + CN_SECRET_KUBERNETES_SECRET=jans \ + CN_SECRET_KUBERNETES_USE_KUBE_CONFIG=false # =============== # Persistence ENV # =============== -ENV JANS_PERSISTENCE_TYPE=ldap \ - JANS_PERSISTENCE_LDAP_MAPPING=default \ - JANS_LDAP_URL=localhost:1636 \ - JANS_COUCHBASE_URL=localhost \ - JANS_COUCHBASE_USER=admin \ - JANS_COUCHBASE_CERT_FILE=/etc/certs/couchbase.crt \ - JANS_COUCHBASE_PASSWORD_FILE=/etc/gluu/conf/couchbase_password \ - JANS_COUCHBASE_CONN_TIMEOUT=10000 \ - JANS_COUCHBASE_CONN_MAX_WAIT=20000 \ - JANS_COUCHBASE_SCAN_CONSISTENCY=not_bounded +ENV CN_PERSISTENCE_TYPE=ldap \ + CN_PERSISTENCE_LDAP_MAPPING=default \ + CN_LDAP_URL=localhost:1636 \ + CN_COUCHBASE_URL=localhost \ + CN_COUCHBASE_USER=admin \ + CN_COUCHBASE_CERT_FILE=/etc/certs/couchbase.crt \ + CN_COUCHBASE_PASSWORD_FILE=/etc/jans/conf/couchbase_password \ + CN_COUCHBASE_CONN_TIMEOUT=10000 \ + CN_COUCHBASE_CONN_MAX_WAIT=20000 \ + CN_COUCHBASE_SCAN_CONSISTENCY=not_bounded # =========== # Generic ENV # =========== -ENV JANS_MAX_RAM_PERCENTAGE=75.0 \ - JANS_WAIT_MAX_TIME=300 \ - JANS_WAIT_SLEEP_DURATION=10 \ +ENV CN_MAX_RAM_PERCENTAGE=75.0 \ + CN_WAIT_MAX_TIME=300 \ + CN_WAIT_SLEEP_DURATION=10 \ PYTHON_HOME=/opt/jython \ - JANS_DOCUMENT_STORE_TYPE=LOCAL \ - JANS_JACKRABBIT_URL=http://localhost:8080 \ - JANS_JACKRABBIT_ADMIN_ID=admin \ - JANS_JACKRABBIT_ADMIN_PASSWORD_FILE=/etc/gluu/conf/jackrabbit_admin_password \ - JANS_JAVA_OPTIONS="" \ - JANS_SSL_CERT_FROM_SECRETS=false \ - JANS_SYNC_JKS_ENABLED=false \ - JANS_SYNC_JKS_INTERVAL=30 + CN_DOCUMENT_STORE_TYPE=LOCAL \ + CN_JACKRABBIT_URL=http://localhost:8080 \ + CN_JACKRABBIT_ADMIN_ID=admin \ + CN_JACKRABBIT_ADMIN_PASSWORD_FILE=/etc/jans/conf/jackrabbit_admin_password \ + CN_JAVA_OPTIONS="" \ + CN_SSL_CERT_FROM_SECRETS=false \ + CN_SYNC_JKS_ENABLED=false \ + CN_SYNC_JKS_INTERVAL=30 \ + CN_NAMESPACE=jans # ========== # misc stuff # ========== LABEL name="Janssen Authorization Server" \ - maintainer="Jansson org. " \ + maintainer="Janssen Project " \ vendor="Janssen Project" \ version="5.0.0" \ release="dev" \ @@ -182,19 +186,36 @@ LABEL name="Janssen Authorization Server" \ description="OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)" RUN mkdir -p /etc/certs /deploy \ - /opt/gluu/python/libs \ - ${JETTY_BASE}/oxauth/custom/pages ${JETTY_BASE}/oxauth/custom/static \ - ${JETTY_BASE}/oxauth/custom/i18n \ - /etc/gluu/conf \ + /opt/jans/python/libs \ + ${JETTY_BASE}/jans-auth/custom/pages ${JETTY_BASE}/jans-auth/custom/static \ + ${JETTY_BASE}/jans-auth/custom/i18n \ + /etc/jans/conf \ /app/templates -COPY libs /opt/gluu/python/libs +COPY libs /opt/jans/python/libs COPY certs /etc/certs -COPY jetty/oxauth_web_resources.xml ${JETTY_BASE}/oxauth/webapps/ -COPY jetty/oxauth.xml ${JETTY_BASE}/oxauth/webapps/ +COPY jetty/jans-auth_web_resources.xml ${JETTY_BASE}/jans-auth/webapps/ +COPY jetty/jans-auth.xml ${JETTY_BASE}/jans-auth/webapps/ COPY conf/*.tmpl /app/templates/ COPY scripts /app/scripts RUN chmod +x /app/scripts/entrypoint.sh +# # create non-root user +RUN adduser -s /bin/sh -D -G root -u 1000 jetty + + # adjust ownership +RUN chown -R 1000:1000 /opt/jans/jetty \ + && chown -R 1000:1000 /opt/jetty \ + && chown -R 1000:1000 /deploy \ + && chown -R 1000:1000 /tmp \ + && chmod -R g+w /usr/lib/jvm/default-jvm/jre/lib/security/cacerts \ + && chgrp -R 0 /opt/jans/jetty && chmod -R g=u /opt/jans/jetty \ + && chgrp -R 0 /opt/jetty && chmod -R g=u /opt/jetty \ + && chgrp -R 0 /tmp && chmod -R g=u /tmp \ + && chgrp -R 0 /deploy && chmod -R g=u /deploy \ + && chgrp -R 0 /etc/certs && chmod -R g=u /etc/certs \ + && chgrp -R 0 /etc/jans && chmod -R g=u /etc/jans +USER 1000 + ENTRYPOINT ["tini", "-e", "143", "-g", "--"] CMD ["sh", "/app/scripts/entrypoint.sh"] diff --git a/Makefile b/Makefile index 4a68ff16..4dd0e16e 100644 --- a/Makefile +++ b/Makefile @@ -1,15 +1,15 @@ -JANS_VERSION=4.2.2 -IMAGE_NAME=gluufederation/oxauth +CN_VERSION=5.0.0 +IMAGE_NAME=janssenproject/auth-server UNSTABLE_VERSION=dev build-dev: - @echo "[I] Building Docker image ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION}" - @docker build --rm --force-rm -t ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION} . + @echo "[I] Building Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION}" + @docker build --rm --force-rm -t ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} . trivy-scan: - @echo "[I] Scanning Docker image ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION} using trivy" - @trivy -d image ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION} + @echo "[I] Scanning Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} using trivy" + @trivy -d image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} dockle-scan: - @echo "[I] Scanning Docker image ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION} using dockle" - @dockle -d ${IMAGE_NAME}:${JANS_VERSION}_${UNSTABLE_VERSION} + @echo "[I] Scanning Docker image ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} using dockle" + @dockle -d ${IMAGE_NAME}:${CN_VERSION}_${UNSTABLE_VERSION} diff --git a/README.md b/README.md index 7cc2684f..e9fe4d78 100644 --- a/README.md +++ b/README.md @@ -5,60 +5,60 @@ Docker image packaging for Janssen Authorization Server. ## Versions See [Releases](https://github.com/JanssenProject/docker-jans-auth-server/releases) for stable versions. -For bleeding-edge/unstable version, use `janssenproject/jans-auth-server:5.0.0_dev`. +For bleeding-edge/unstable version, use `janssenproject/auth-server:5.0.0_dev`. ## Environment Variables The following environment variables are supported by the container: -- `JANS_CONFIG_ADAPTER`: The config backend adapter, can be `consul` (default) or `kubernetes`. -- `JANS_CONFIG_CONSUL_HOST`: hostname or IP of Consul (default to `localhost`). -- `JANS_CONFIG_CONSUL_PORT`: port of Consul (default to `8500`). -- `JANS_CONFIG_CONSUL_CONSISTENCY`: Consul consistency mode (choose one of `default`, `consistent`, or `stale`). Default to `stale` mode. -- `JANS_CONFIG_CONSUL_SCHEME`: supported Consul scheme (`http` or `https`). -- `JANS_CONFIG_CONSUL_VERIFY`: whether to verify cert or not (default to `false`). -- `JANS_CONFIG_CONSUL_CACERT_FILE`: path to Consul CA cert file (default to `/etc/certs/consul_ca.crt`). This file will be used if it exists and `JANS_CONFIG_CONSUL_VERIFY` set to `true`. -- `JANS_CONFIG_CONSUL_CERT_FILE`: path to Consul cert file (default to `/etc/certs/consul_client.crt`). -- `JANS_CONFIG_CONSUL_KEY_FILE`: path to Consul key file (default to `/etc/certs/consul_client.key`). -- `JANS_CONFIG_CONSUL_TOKEN_FILE`: path to file contains ACL token (default to `/etc/certs/consul_token`). -- `JANS_CONFIG_KUBERNETES_NAMESPACE`: Kubernetes namespace (default to `default`). -- `JANS_CONFIG_KUBERNETES_CONFIGMAP`: Kubernetes configmaps name (default to `gluu`). -- `JANS_CONFIG_KUBERNETES_USE_KUBE_CONFIG`: Load credentials from `$HOME/.kube/config`, only useful for non-container environment (default to `false`). -- `JANS_SECRET_ADAPTER`: The secrets adapter, can be `vault` or `kubernetes`. -- `JANS_SECRET_VAULT_SCHEME`: supported Vault scheme (`http` or `https`). -- `JANS_SECRET_VAULT_HOST`: hostname or IP of Vault (default to `localhost`). -- `JANS_SECRET_VAULT_PORT`: port of Vault (default to `8200`). -- `JANS_SECRET_VAULT_VERIFY`: whether to verify cert or not (default to `false`). -- `JANS_SECRET_VAULT_ROLE_ID_FILE`: path to file contains Vault AppRole role ID (default to `/etc/certs/vault_role_id`). -- `JANS_SECRET_VAULT_SECRET_ID_FILE`: path to file contains Vault AppRole secret ID (default to `/etc/certs/vault_secret_id`). -- `JANS_SECRET_VAULT_CERT_FILE`: path to Vault cert file (default to `/etc/certs/vault_client.crt`). -- `JANS_SECRET_VAULT_KEY_FILE`: path to Vault key file (default to `/etc/certs/vault_client.key`). -- `JANS_SECRET_VAULT_CACERT_FILE`: path to Vault CA cert file (default to `/etc/certs/vault_ca.crt`). This file will be used if it exists and `JANS_SECRET_VAULT_VERIFY` set to `true`. -- `JANS_SECRET_KUBERNETES_NAMESPACE`: Kubernetes namespace (default to `default`). -- `JANS_SECRET_KUBERNETES_CONFIGMAP`: Kubernetes secrets name (default to `gluu`). -- `JANS_SECRET_KUBERNETES_USE_KUBE_CONFIG`: Load credentials from `$HOME/.kube/config`, only useful for non-container environment (default to `false`). -- `JANS_WAIT_MAX_TIME`: How long the startup "health checks" should run (default to `300` seconds). -- `JANS_WAIT_SLEEP_DURATION`: Delay between startup "health checks" (default to `10` seconds). -- `JANS_MAX_RAM_PERCENTAGE`: Value passed to Java option `-XX:MaxRAMPercentage`. -- `JANS_DEBUG_PORT`: port of remote debugging (if omitted, remote debugging will be disabled). -- `JANS_PERSISTENCE_TYPE`: Persistence backend being used (one of `ldap`, `couchbase`, or `hybrid`; default to `ldap`). -- `JANS_PERSISTENCE_LDAP_MAPPING`: Specify data that should be saved in LDAP (one of `default`, `user`, `cache`, `site`, `token`, or `session`; default to `default`). Note this environment only takes effect when `JANS_PERSISTENCE_TYPE` is set to `hybrid`. -- `JANS_LDAP_URL`: Address and port of LDAP server (default to `localhost:1636`); required if `JANS_PERSISTENCE_TYPE` is set to `ldap` or `hybrid`. -- `JANS_COUCHBASE_URL`: Address of Couchbase server (default to `localhost`); required if `JANS_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`. -- `JANS_COUCHBASE_USER`: Username of Couchbase server (default to `admin`); required if `JANS_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`. -- `JANS_COUCHBASE_CERT_FILE`: Couchbase root certificate location (default to `/etc/certs/couchbase.crt`); required if `JANS_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`. -- `JANS_COUCHBASE_PASSWORD_FILE`: Path to file contains Couchbase password (default to `/etc/gluu/conf/couchbase_password`); required if `JANS_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`. -- `JANS_COUCHBASE_CONN_TIMEOUT`: Connect timeout used when a bucket is opened (default to `10000` milliseconds). -- `JANS_COUCHBASE_CONN_MAX_WAIT`: Maximum time to wait before retrying connection (default to `20000` milliseconds). -- `JANS_COUCHBASE_SCAN_CONSISTENCY`: Default scan consistency; one of `not_bounded`, `request_plus`, or `statement_plus` (default to `not_bounded`). -- `JANS_JAVA_OPTIONS`: Java options passed to entrypoint, i.e. `-Xmx1024m` (default to empty-string). -- `JANS_DOCUMENT_STORE_TYPE`: Document store type (one of `LOCAL` or `JCA`; default to `LOCAL`). -- `JANS_JCA_URL`: __DEPRECATED__ in favor of `JANS_JACKRABBIT_URL`. -- `JANS_JACKRABBIT_URL`: URL to remote repository (default to `http://localhost:8080`). -- `JANS_JCA_SYNC_INTERVAL`: __DEPRECATED__ in favor of `JANS_JACKRABBIT_SYNC_INTERVAL`. -- `JANS_JACKRABBIT_SYNC_INTERVAL`: Interval between files sync (default to `300` seconds). -- `JANS_JACKRABBIT_ADMIN_ID`: Admin username (default to `admin`). -- `JANS_JACKRABBIT_ADMIN_PASSWORD_FILE`: Absolute path to file contains password for admin user (default to `/etc/gluu/conf/jackrabbit_admin_password`). -- `JANS_SSL_CERT_FROM_SECRETS`: Determine whether to get SSL cert from secrets backend (default to `false`). Note that the flag will take effect only if there's no mounted `/etc/certs/gluu_https.crt` file. -- `JANS_SYNC_JKS_ENABLED`: Whether to enable JKS sync (default to `false`). Enable this flag if using `gluufederation/key-rotation:4.1.1_02` and below (for key-regeneration). -- `JANS_SYNC_JKS_INTERVAL`: Interval of JKS sync in seconds (if needed); obsolete. +- `CN_CONFIG_ADAPTER`: The config backend adapter, can be `consul` (default) or `kubernetes`. +- `CN_CONFIG_CONSUL_HOST`: hostname or IP of Consul (default to `localhost`). +- `CN_CONFIG_CONSUL_PORT`: port of Consul (default to `8500`). +- `CN_CONFIG_CONSUL_CONSISTENCY`: Consul consistency mode (choose one of `default`, `consistent`, or `stale`). Default to `stale` mode. +- `CN_CONFIG_CONSUL_SCHEME`: supported Consul scheme (`http` or `https`). +- `CN_CONFIG_CONSUL_VERIFY`: whether to verify cert or not (default to `false`). +- `CN_CONFIG_CONSUL_CACERT_FILE`: path to Consul CA cert file (default to `/etc/certs/consul_ca.crt`). This file will be used if it exists and `CN_CONFIG_CONSUL_VERIFY` set to `true`. +- `CN_CONFIG_CONSUL_CERT_FILE`: path to Consul cert file (default to `/etc/certs/consul_client.crt`). +- `CN_CONFIG_CONSUL_KEY_FILE`: path to Consul key file (default to `/etc/certs/consul_client.key`). +- `CN_CONFIG_CONSUL_TOKEN_FILE`: path to file contains ACL token (default to `/etc/certs/consul_token`). +- `CN_CONFIG_KUBERNETES_NAMESPACE`: Kubernetes namespace (default to `default`). +- `CN_CONFIG_KUBERNETES_CONFIGMAP`: Kubernetes configmaps name (default to `jans`). +- `CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG`: Load credentials from `$HOME/.kube/config`, only useful for non-container environment (default to `false`). +- `CN_SECRET_ADAPTER`: The secrets adapter, can be `vault` or `kubernetes`. +- `CN_SECRET_VAULT_SCHEME`: supported Vault scheme (`http` or `https`). +- `CN_SECRET_VAULT_HOST`: hostname or IP of Vault (default to `localhost`). +- `CN_SECRET_VAULT_PORT`: port of Vault (default to `8200`). +- `CN_SECRET_VAULT_VERIFY`: whether to verify cert or not (default to `false`). +- `CN_SECRET_VAULT_ROLE_ID_FILE`: path to file contains Vault AppRole role ID (default to `/etc/certs/vault_role_id`). +- `CN_SECRET_VAULT_SECRET_ID_FILE`: path to file contains Vault AppRole secret ID (default to `/etc/certs/vault_secret_id`). +- `CN_SECRET_VAULT_CERT_FILE`: path to Vault cert file (default to `/etc/certs/vault_client.crt`). +- `CN_SECRET_VAULT_KEY_FILE`: path to Vault key file (default to `/etc/certs/vault_client.key`). +- `CN_SECRET_VAULT_CACERT_FILE`: path to Vault CA cert file (default to `/etc/certs/vault_ca.crt`). This file will be used if it exists and `CN_SECRET_VAULT_VERIFY` set to `true`. +- `CN_SECRET_KUBERNETES_NAMESPACE`: Kubernetes namespace (default to `default`). +- `CN_SECRET_KUBERNETES_SECRET`: Kubernetes secrets name (default to `jans`). +- `CN_SECRET_KUBERNETES_USE_KUBE_CONFIG`: Load credentials from `$HOME/.kube/config`, only useful for non-container environment (default to `false`). +- `CN_WAIT_MAX_TIME`: How long the startup "health checks" should run (default to `300` seconds). +- `CN_WAIT_SLEEP_DURATION`: Delay between startup "health checks" (default to `10` seconds). +- `CN_MAX_RAM_PERCENTAGE`: Value passed to Java option `-XX:MaxRAMPercentage`. +- `CN_DEBUG_PORT`: port of remote debugging (if omitted, remote debugging will be disabled). +- `CN_PERSISTENCE_TYPE`: Persistence backend being used (one of `ldap`, `couchbase`, or `hybrid`; default to `ldap`). +- `CN_PERSISTENCE_LDAP_MAPPING`: Specify data that should be saved in LDAP (one of `default`, `user`, `cache`, `site`, `token`, or `session`; default to `default`). Note this environment only takes effect when `CN_PERSISTENCE_TYPE` is set to `hybrid`. +- `CN_LDAP_URL`: Address and port of LDAP server (default to `localhost:1636`); required if `CN_PERSISTENCE_TYPE` is set to `ldap` or `hybrid`. +- `CN_COUCHBASE_URL`: Address of Couchbase server (default to `localhost`); required if `CN_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`. +- `CN_COUCHBASE_USER`: Username of Couchbase server (default to `admin`); required if `CN_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`. +- `CN_COUCHBASE_CERT_FILE`: Couchbase root certificate location (default to `/etc/certs/couchbase.crt`); required if `CN_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`. +- `CN_COUCHBASE_PASSWORD_FILE`: Path to file contains Couchbase password (default to `/etc/jans/conf/couchbase_password`); required if `CN_PERSISTENCE_TYPE` is set to `couchbase` or `hybrid`. +- `CN_COUCHBASE_CONN_TIMEOUT`: Connect timeout used when a bucket is opened (default to `10000` milliseconds). +- `CN_COUCHBASE_CONN_MAX_WAIT`: Maximum time to wait before retrying connection (default to `20000` milliseconds). +- `CN_COUCHBASE_SCAN_CONSISTENCY`: Default scan consistency; one of `not_bounded`, `request_plus`, or `statement_plus` (default to `not_bounded`). +- `CN_JAVA_OPTIONS`: Java options passed to entrypoint, i.e. `-Xmx1024m` (default to empty-string). +- `CN_DOCUMENT_STORE_TYPE`: Document store type (one of `LOCAL` or `JCA`; default to `LOCAL`). +- `CN_JCA_URL`: __DEPRECATED__ in favor of `CN_JACKRABBIT_URL`. +- `CN_JACKRABBIT_URL`: URL to remote repository (default to `http://localhost:8080`). +- `CN_JCA_SYNC_INTERVAL`: __DEPRECATED__ in favor of `CN_JACKRABBIT_SYNC_INTERVAL`. +- `CN_JACKRABBIT_SYNC_INTERVAL`: Interval between files sync (default to `300` seconds). +- `CN_JACKRABBIT_ADMIN_ID`: Admin username (default to `admin`). +- `CN_JACKRABBIT_ADMIN_PASSWORD_FILE`: Absolute path to file contains password for admin user (default to `/etc/jans/conf/jackrabbit_admin_password`). +- `CN_SSL_CERT_FROM_SECRETS`: Determine whether to get SSL cert from secrets backend (default to `false`). Note that the flag will take effect only if there's no mounted `/etc/certs/jans_https.crt` file. +- `CN_SYNC_JKS_ENABLED`: Whether to enable JKS sync (default to `false`). Enable this flag if using `gluufederation/key-rotation:4.1.1_02` and below (for key-regeneration). +- `CN_SYNC_JKS_INTERVAL`: Interval of JKS sync in seconds (if needed); obsolete. diff --git a/automation/auto_update_build_date.py b/automation/auto_update_build_date.py index 53253b03..41dfb195 100644 --- a/automation/auto_update_build_date.py +++ b/automation/auto_update_build_date.py @@ -8,21 +8,29 @@ "url": "https://ox.gluu.org/maven/org/gluufederation/opendj/opendj-server-legacy/{}", "source_package": "opendj-server-legacy-{}.zip" }, - "oxauth-client": { - "url": "https://maven.jans.io/maven/org/jans/oxauth-client/{}", - "source_package": "oxauth-client-{}-jar-with-dependencies.jar" + "jans-auth-client": { + "url": "https://maven.jans.io/maven/io/jans/jans-auth-client/{}", + "source_package": "jans-auth-client-{}-SNAPSHOT-jar-with-dependencies.jar" }, - "oxauth-server": { - "url": "https://maven.jans.io/maven/org/jans/oxauth-server/{}", - "source_package": "oxauth-server-{}.war" + "jans-auth-server": { + "url": "https://maven.jans.io/maven/io/jans/jans-auth-server/{}", + "source_package": "jans-auth-server-{}.war" }, - "scim-server": { - "url": "https://maven.jans.io/maven/org/jans/scim-server/{}", - "source_package": "scim-server-{}.war" + "jans-scim-server": { + "url": "https://maven.jans.io/maven/io/jans/jans-scim-server/{}", + "source_package": "jans-scim-server-{}.war" }, - "fido2-server": { - "url": "https://maven.jans.io/maven/org/jans/fido2-server/{}", - "source_package": "fido2-server-{}.war" + "jans-fido2-server": { + "url": "https://maven.jans.io/maven/io/jans/jans-fido2-server/{}", + "source_package": "jans-fido2-server-{}.war" + }, + "jans-client-api": { + "url": "https://maven.jans.io/maven/io/jans/jans-client-api/{}", + "source_package": "jans-client-api-{}.jar" + }, + "jans-config-api": { + "url": "https://maven.jans.io/maven/io/jans/jans-config-api/{}", + "source_package": "jans-config-api-{}-runner.jar" }, } @@ -58,13 +66,13 @@ def parse_source(package_name, version): def find_current_jans_package_version_and_build_date(dockerfile): - jans_packages = ["oxauth-client", "opendj-server-legacy", - "oxauth-server","scim-server", - "fido2-server"] + jans_packages = ["jans-auth-client", "opendj-server-legacy", + "jans-auth-server", "jans-scim-server", + "jans-fido2-server", "jans-client-api", "jans-config-api"] wrends_version_search_string = "ENV WRENDS_VERSION=" wrends_build_date_search_string = "ENV WRENDS_BUILD_DATE=" - jans_version_search_string = "ENV JANS_VERSION=" - jans_build_date_search_string = "ENV JANS_BUILD_DATE=" + jans_version_search_string = "ENV CN_VERSION=" + jans_build_date_search_string = "ENV CN_BUILD_DATE=" jans_package = "" jans_version = "" jans_build_date = "" @@ -91,9 +99,9 @@ def find_current_jans_package_version_and_build_date(dockerfile): def update_build_date(dockerfile, old_build_date, new_build_date): wrends_build_date_search_string = 'WRENDS_BUILD_DATE=' + '"' + old_build_date + '"' - jans_build_date_search_string = "JANS_BUILD_DATE=" + '"' + old_build_date + '"' + jans_build_date_search_string = "CN_BUILD_DATE=" + '"' + old_build_date + '"' wrends_build_new_date_string = 'WRENDS_BUILD_DATE=' + '"' + new_build_date + '"' - jans_build_new_date_string = "JANS_BUILD_DATE=" + '"' + new_build_date + '"' + jans_build_new_date_string = "CN_BUILD_DATE=" + '"' + new_build_date + '"' with open(dockerfile, "r+") as file: contents = file.read() contents = contents.replace(wrends_build_date_search_string, wrends_build_new_date_string) diff --git a/certs/super_gluu_creds.json b/certs/super_jans_creds.json similarity index 79% rename from certs/super_gluu_creds.json rename to certs/super_jans_creds.json index 0afb716e..cf85bb54 100644 --- a/certs/super_gluu_creds.json +++ b/certs/super_jans_creds.json @@ -1,19 +1,19 @@ { "android":{ - "gluu":{ + "jans":{ "enabled":true, "access_key":"36WH2JiexBOoAIBP", "secret_access_key":"ueqsU2Dc7m3r4HmLz4M79DpzzCNqTfek" } }, "ios":{ - "gluu":{ + "jans":{ "enabled":true, "access_key":"auONAdePWoYFBX6V", "secret_access_key":"f050aW0nnihym0GwktWd7O15jGSQcoei" } }, - "gluu":{ - "server_uri":"https://api.gluu.org" + "jans":{ + "server_uri":"https://api.jans.io" } } diff --git a/certs/vericloud_gluu_creds.json b/certs/vericloud_jans_creds.json similarity index 100% rename from certs/vericloud_gluu_creds.json rename to certs/vericloud_jans_creds.json diff --git a/conf/fido2/authenticator_cert/HyperFIDO_CA_Cert_V1.pem b/conf/fido2/authenticator_cert/HyperFIDO_CA_Cert_V1.pem deleted file mode 100644 index 3adb65f6..00000000 --- a/conf/fido2/authenticator_cert/HyperFIDO_CA_Cert_V1.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBjTCCATOgAwIBAgIBATAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxGVCBGSURP -IDAxMDAwHhcNMTQwNzAxMTUzNjI2WhcNNDQwNzAzMTUzNjI2WjAXMRUwEwYDVQQD -EwxGVCBGSURPIDAxMDAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASxdLxJx8ol -S3DS5cIHzunPF0gg69d+o8ZVCMJtpRtlfBzGuVL4YhaXk2SC2gptPTgmpZCV2vbN -fAPi5gOF0vbZo3AwbjAdBgNVHQ4EFgQUXt4jWlYDgwhaPU+EqLmeM9LoPRMwPwYD -VR0jBDgwNoAUXt4jWlYDgwhaPU+EqLmeM9LoPROhG6QZMBcxFTATBgNVBAMTDEZU -IEZJRE8gMDEwMIIBATAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIQC2 -D9o9cconKTo8+4GZPyZBJ3amc8F0/kzyidX9dhrAIAIgM9ocs5BW/JfmshVP9Mb+ -Joa/kgX4dWbZxrk0ioTfJZg= ------END CERTIFICATE----- diff --git a/conf/fido2/authenticator_cert/HyperFIDO_CA_Cert_V2.pem b/conf/fido2/authenticator_cert/HyperFIDO_CA_Cert_V2.pem deleted file mode 100644 index a3da3851..00000000 --- a/conf/fido2/authenticator_cert/HyperFIDO_CA_Cert_V2.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBxzCCAWygAwIBAgICEAswCgYIKoZIzj0EAwIwOjELMAkGA1UEBhMCQ0ExEjAQ -BgNVBAoMCUhZUEVSU0VDVTEXMBUGA1UEAwwOSFlQRVJGSURPIDAyMDAwIBcNMTgw -MTAxMDAwMDAwWhgPMjA0NzEyMzEyMzU5NTlaMDoxCzAJBgNVBAYTAkNBMRIwEAYD -VQQKDAlIWVBFUlNFQ1UxFzAVBgNVBAMMDkhZUEVSRklETyAwMjAwMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAErKUI1G0S7a6IOLlmHipLlBuxTYjsEESQvzQh3dB7 -dvxxWWm7kWL91rq6S7ayZG0gZPR+zYqdFzwAYDcG4+aX66NgMF4wHQYDVR0OBBYE -FLZYcfMMwkQAGbt3ryzZFPFypmsIMB8GA1UdIwQYMBaAFLZYcfMMwkQAGbt3ryzZ -FPFypmsIMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMC -A0kAMEYCIQCG2/ppMGt7pkcRie5YIohS3uDPIrmiRcTjqDclKVWg0gIhANcPNDZH -E2/zZ+uB5ThG9OZus+xSb4knkrbAyXKX2zm/ ------END CERTIFICATE----- diff --git a/conf/fido2/authenticator_cert/yubico-u2f-ca-cert.crt b/conf/fido2/authenticator_cert/yubico-u2f-ca-cert.crt deleted file mode 100644 index 15a1dc28..00000000 --- a/conf/fido2/authenticator_cert/yubico-u2f-ca-cert.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDHjCCAgagAwIBAgIEG0BT9zANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZ -dWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAw -MDBaGA8yMDUwMDkwNDAwMDAwMFowLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290 -IENBIFNlcmlhbCA0NTcyMDA2MzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC/jwYuhBVlqaiYWEMsrWFisgJ+PtM91eSrpI4TK7U53mwCIawSDHy8vUmk -5N2KAj9abvT9NP5SMS1hQi3usxoYGonXQgfO6ZXyUA9a+KAkqdFnBnlyugSeCOep -8EdZFfsaRFtMjkwz5Gcz2Py4vIYvCdMHPtwaz0bVuzneueIEz6TnQjE63Rdt2zbw -nebwTG5ZybeWSwbzy+BJ34ZHcUhPAY89yJQXuE0IzMZFcEBbPNRbWECRKgjq//qT -9nmDOFVlSRCt2wiqPSzluwn+v+suQEBsUjTGMEd25tKXXTkNW21wIWbxeSyUoTXw -LvGS6xlwQSgNpk2qXYwf8iXg7VWZAgMBAAGjQjBAMB0GA1UdDgQWBBQgIvz0bNGJ -hjgpToksyKpP9xv9oDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAN -BgkqhkiG9w0BAQsFAAOCAQEAjvjuOMDSa+JXFCLyBKsycXtBVZsJ4Ue3LbaEsPY4 -MYN/hIQ5ZM5p7EjfcnMG4CtYkNsfNHc0AhBLdq45rnT87q/6O3vUEtNMafbhU6kt -hX7Y+9XFN9NpmYxr+ekVY5xOxi8h9JDIgoMP4VB1uS0aunL1IGqrNooL9mmFnL2k -LVVee6/VR6C5+KSTCMCWppMuJIZII2v9o4dkoZ8Y7QRjQlLfYzd3qGtKbw7xaF1U -sG/5xUb/Btwb2X2g4InpiB/yt/3CpQXpiWX/K4mBvUKiGn05ZsqeY1gx4g0xLBqc -U9psmyPzK+Vsgw2jeRQ5JlKDyqE0hebfC1tvFu0CCrJFcw== ------END CERTIFICATE----- diff --git a/conf/fido2/mds_toc_cert/metadata-root-ca.cer b/conf/fido2/mds_toc_cert/metadata-root-ca.cer deleted file mode 100644 index 04d0ed5e..00000000 --- a/conf/fido2/mds_toc_cert/metadata-root-ca.cer +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICQzCCAcigAwIBAgIORqmxkzowRM99NQZJurcwCgYIKoZIzj0EAwMwUzELMAkG -A1UEBhMCVVMxFjAUBgNVBAoTDUZJRE8gQWxsaWFuY2UxHTAbBgNVBAsTFE1ldGFk -YXRhIFRPQyBTaWduaW5nMQ0wCwYDVQQDEwRSb290MB4XDTE1MDYxNzAwMDAwMFoX -DTQ1MDYxNzAwMDAwMFowUzELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUZJRE8gQWxs -aWFuY2UxHTAbBgNVBAsTFE1ldGFkYXRhIFRPQyBTaWduaW5nMQ0wCwYDVQQDEwRS -b290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEFEoo+6jdxg6oUuOloqPjK/nVGyY+ -AXCFz1i5JR4OPeFJs+my143ai0p34EX4R1Xxm9xGi9n8F+RxLjLNPHtlkB3X4ims -rfIx7QcEImx1cMTgu5zUiwxLX1ookVhIRSoso2MwYTAOBgNVHQ8BAf8EBAMCAQYw -DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU0qUfC6f2YshA1Ni9udeO0VS7vEYw -HwYDVR0jBBgwFoAU0qUfC6f2YshA1Ni9udeO0VS7vEYwCgYIKoZIzj0EAwMDaQAw -ZgIxAKulGbSFkDSZusGjbNkAhAkqTkLWo3GrN5nRBNNk2Q4BlG+AvM5q9wa5WciW -DcMdeQIxAMOEzOFsxX9Bo0h4LOFE5y5H8bdPFYW+l5gy1tQiJv+5NUyM2IBB55XU -YjdBz56jSA== ------END CERTIFICATE----- diff --git a/conf/gluu.properties.tmpl b/conf/gluu.properties.tmpl deleted file mode 100644 index 853495cc..00000000 --- a/conf/gluu.properties.tmpl +++ /dev/null @@ -1,13 +0,0 @@ -persistence.type=%(persistence_type)s - -oxauth_ConfigurationEntryDN=ou=oxauth,ou=configuration,o=gluu -oxtrust_ConfigurationEntryDN=ou=oxtrust,ou=configuration,o=gluu -oxidp_ConfigurationEntryDN=ou=oxidp,ou=configuration,o=gluu -oxcas_ConfigurationEntryDN=ou=oxcas,ou=configuration,o=gluu -oxpassport_ConfigurationEntryDN=ou=oxpassport,ou=configuration,o=gluu -oxradius_ConfigurationEntryDN=ou=oxradius,ou=configuration,o=gluu -fido2_ConfigurationEntryDN=ou=fido2,ou=configuration,o=gluu - -certsDir=%(certFolder)s -confDir= -pythonModulesDir=%(gluuOptPythonFolder)s/libs:/opt/jython/Lib/site-packages diff --git a/conf/gluu-couchbase.properties.tmpl b/conf/jans-couchbase.properties.tmpl similarity index 69% rename from conf/gluu-couchbase.properties.tmpl rename to conf/jans-couchbase.properties.tmpl index 3371a8ad..69941f0f 100644 --- a/conf/gluu-couchbase.properties.tmpl +++ b/conf/jans-couchbase.properties.tmpl @@ -1,6 +1,14 @@ servers: %(hostname)s +# The connect timeout is used when a Bucket is opened. +# If you feel the urge to change this value to something higher, there is a good chance that your network is not properly set up. +# Connecting to the server should in practice not take longer than a second on a reasonably fast network. +# Default SDK connectTimeout is 10s connection.connect-timeout: %(couchbase_conn_timeout)s + +# At startup when connection error is occurred persistence layer can make another attempt to open buckets. +# Before make next try it pause process for 5 second. If after that total connection time is less than specified +# in property above new attempt will be executed connection.connection-max-wait-time: %(couchbase_conn_max_wait)s connection.operation-tracing-enabled: false diff --git a/conf/gluu-ldap.properties.tmpl b/conf/jans-ldap.properties.tmpl similarity index 100% rename from conf/gluu-ldap.properties.tmpl rename to conf/jans-ldap.properties.tmpl diff --git a/conf/jans.properties.tmpl b/conf/jans.properties.tmpl new file mode 100644 index 00000000..e9d142a4 --- /dev/null +++ b/conf/jans.properties.tmpl @@ -0,0 +1,9 @@ +persistence.type=%(persistence_type)s + +jansAuth_ConfigurationEntryDN=ou=jans-auth,ou=configuration,o=jans +fido2_ConfigurationEntryDN=ou=jans-fido2,ou=configuration,o=jans +scim_ConfigurationEntryDN=ou=jans-scim,ou=configuration,o=jans + +certsDir=/etc/certs +confDir= +pythonModulesDir=/opt/jans/python/libs:/opt/jython/Lib/site-packages diff --git a/jetty/oxauth.xml b/jetty/jans-auth.xml similarity index 76% rename from jetty/oxauth.xml rename to jetty/jans-auth.xml index 38e32727..99d7ae8c 100644 --- a/jetty/oxauth.xml +++ b/jetty/jans-auth.xml @@ -2,9 +2,9 @@ - /oxauth + /jans-auth - /oxauth + /jans-auth false %(extra_classpath)s diff --git a/jetty/oxauth_web_resources.xml b/jetty/jans-auth_web_resources.xml similarity index 73% rename from jetty/oxauth_web_resources.xml rename to jetty/jans-auth_web_resources.xml index 3e019e95..2339ca64 100644 --- a/jetty/oxauth_web_resources.xml +++ b/jetty/jans-auth_web_resources.xml @@ -1,10 +1,10 @@ - /oxauth/ext/resources + /jans-auth/ext/resources - /opt/gluu/jetty/oxauth/custom/static + /opt/jans/jetty/jans-auth/custom/static false diff --git a/libs/casa-external_super_gluu.py b/libs/casa-external_super_gluu.py index dd94b0a1..e7831b7c 100644 --- a/libs/casa-external_super_gluu.py +++ b/libs/casa-external_super_gluu.py @@ -128,7 +128,7 @@ def init(self, customScript, configurationAttributes): # Validate license try: self.license_content = LicenseValidator.validate(license["public-key"], license["public-password"], license["license-password"], license["license"], - Product.SUPER_JANS, Date()) + Product.SUPER_CN, Date()) self.valid_license = self.license_content.isValid() except: print "Super-Gluu. Initialization. Failed to validate license. Exception: ", sys.exc_info()[1] diff --git a/requirements.txt b/requirements.txt index 7632f2b8..3a396f74 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ --e git+https://github.com/JanssenProject/pygluu-containerlib@2.3.0#egg=pygluu-containerlib +-e git+https://github.com/JanssenProject/jans-pycloudlib@f83b814dcea6447e1f62e9cad81931234247d930#egg=jans-pycloudlib diff --git a/scripts/entrypoint.py b/scripts/bootstrap.py similarity index 54% rename from scripts/entrypoint.py rename to scripts/bootstrap.py index fd50bbf6..5d6ea26c 100644 --- a/scripts/entrypoint.py +++ b/scripts/bootstrap.py @@ -4,11 +4,10 @@ from jans.pycloudlib import get_manager from jans.pycloudlib.persistence import render_couchbase_properties -from jans.pycloudlib.persistence import render_gluu_properties +from jans.pycloudlib.persistence import render_base_properties from jans.pycloudlib.persistence import render_hybrid_properties from jans.pycloudlib.persistence import render_ldap_properties from jans.pycloudlib.persistence import render_salt -# from jans.pycloudlib.persistence import sync_couchbase_cert from jans.pycloudlib.persistence import sync_couchbase_truststore from jans.pycloudlib.persistence import sync_ldap_truststore from jans.pycloudlib.utils import cert_to_truststore @@ -61,85 +60,69 @@ def modify_webdefault_xml(): def main(): - persistence_type = os.environ.get("JANS_PERSISTENCE_TYPE", "ldap") + persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") - render_salt(manager, "/app/templates/salt.tmpl", "/etc/gluu/conf/salt") - render_gluu_properties("/app/templates/gluu.properties.tmpl", "/etc/gluu/conf/gluu.properties") + render_salt(manager, "/app/templates/salt.tmpl", "/etc/jans/conf/salt") + render_base_properties("/app/templates/jans.properties.tmpl", "/etc/jans/conf/jans.properties") if persistence_type in ("ldap", "hybrid"): render_ldap_properties( manager, - "/app/templates/gluu-ldap.properties.tmpl", - "/etc/gluu/conf/gluu-ldap.properties", + "/app/templates/jans-ldap.properties.tmpl", + "/etc/jans/conf/jans-ldap.properties", ) sync_ldap_truststore(manager) if persistence_type in ("couchbase", "hybrid"): render_couchbase_properties( manager, - "/app/templates/gluu-couchbase.properties.tmpl", - "/etc/gluu/conf/gluu-couchbase.properties", + "/app/templates/jans-couchbase.properties.tmpl", + "/etc/jans/conf/jans-couchbase.properties", ) # need to resolve whether we're using default or user-defined couchbase cert # sync_couchbase_cert(manager) sync_couchbase_truststore(manager) if persistence_type == "hybrid": - render_hybrid_properties("/etc/gluu/conf/gluu-hybrid.properties") + render_hybrid_properties("/etc/jans/conf/jans-hybrid.properties") - if not os.path.isfile("/etc/certs/gluu_https.crt"): - if as_boolean(os.environ.get("JANS_SSL_CERT_FROM_SECRETS", False)): - manager.secret.to_file("ssl_cert", "/etc/certs/gluu_https.crt") + if not os.path.isfile("/etc/certs/web_https.crt"): + if as_boolean(os.environ.get("CN_SSL_CERT_FROM_SECRETS", False)): + manager.secret.to_file("ssl_cert", "/etc/certs/web_https.crt") else: - get_server_certificate(manager.config.get("hostname"), 443, "/etc/certs/gluu_https.crt") + get_server_certificate(manager.config.get("hostname"), 443, "/etc/certs/web_https.crt") cert_to_truststore( - "gluu_https", - "/etc/certs/gluu_https.crt", + "jans_https", + "/etc/certs/jans_https.crt", "/usr/lib/jvm/default-jvm/jre/lib/security/cacerts", "changeit", ) - if not os.path.isfile("/etc/certs/idp-signing.crt"): - manager.secret.to_file("idp3SigningCertificateText", "/etc/certs/idp-signing.crt") + # if not os.path.isfile("/etc/certs/idp-signing.crt"): + # manager.secret.to_file("idp3SigningCertificateText", "/etc/certs/idp-signing.crt") - manager.secret.to_file("passport_rp_jks_base64", "/etc/certs/passport-rp.jks", - decode=True, binary_mode=True) - - manager.secret.to_file("api_rp_jks_base64", "/etc/certs/api-rp.jks", - decode=True, binary_mode=True) - with open(manager.config.get("api_rp_client_jwks_fn"), "w") as f: - f.write( - base64.b64decode(manager.secret.get("api_rp_client_base64_jwks")).decode() - ) - - manager.secret.to_file("api_rs_jks_base64", "/etc/certs/api-rs.jks", - decode=True, binary_mode=True) - with open(manager.config.get("api_rs_client_jwks_fn"), "w") as f: - f.write( - base64.b64decode(manager.secret.get("api_rs_client_base64_jwks")).decode() - ) + # manager.secret.to_file("passport_rp_jks_base64", "/etc/certs/passport-rp.jks", + # decode=True, binary_mode=True) - # manager.secret.to_file("scim_rs_jks_base64", "/etc/certs/scim-rs.jks", + # manager.secret.to_file("api_rp_jks_base64", "/etc/certs/api-rp.jks", # decode=True, binary_mode=True) - # with open(manager.config.get("scim_rs_client_jwks_fn"), "w") as f: + # with open(manager.config.get("api_rp_client_jwks_fn"), "w") as f: # f.write( - # base64.b64decode(manager.secret.get("scim_rs_client_base64_jwks")).decode() + # base64.b64decode(manager.secret.get("api_rp_client_base64_jwks")).decode(), # ) - # manager.secret.to_file("scim_rp_jks_base64", "/etc/certs/scim-rp.jks", + # manager.secret.to_file("api_rs_jks_base64", "/etc/certs/api-rs.jks", # decode=True, binary_mode=True) - # with open(manager.config.get("scim_rp_client_jwks_fn"), "w") as f: + # with open(manager.config.get("api_rs_client_jwks_fn"), "w") as f: # f.write( - # base64.b64decode(manager.secret.get("scim_rp_client_base64_jwks")).decode() + # base64.b64decode(manager.secret.get("api_rs_client_base64_jwks")).decode(), # ) modify_jetty_xml() modify_webdefault_xml() - sync_enabled = as_boolean( - os.environ.get("JANS_SYNC_JKS_ENABLED", False) - ) + sync_enabled = as_boolean(os.environ.get("CN_SYNC_JKS_ENABLED", False)) if not sync_enabled: manager.secret.to_file( "oxauth_jks_base64", @@ -148,9 +131,7 @@ def main(): binary_mode=True, ) with open("/etc/certs/oxauth-keys.json", "w") as f: - f.write( - base64.b64decode(manager.secret.get("oxauth_openid_key_base64")).decode() - ) + f.write(base64.b64decode(manager.secret.get("oxauth_openid_key_base64")).decode()) if __name__ == "__main__": diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 1c1e9a66..b055d975 100644 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -7,9 +7,9 @@ set -e get_debug_opt() { debug_opt="" - if [ -n "${JANS_DEBUG_PORT}" ]; then + if [ -n "${CN_DEBUG_PORT}" ]; then debug_opt=" - -agentlib:jdwp=transport=dt_socket,address=${JANS_DEBUG_PORT},server=y,suspend=n + -agentlib:jdwp=transport=dt_socket,address=${CN_DEBUG_PORT},server=y,suspend=n " fi echo "${debug_opt}" @@ -17,15 +17,17 @@ get_debug_opt() { move_builtin_jars() { # move twilio lib - if [ ! -f /opt/gluu/jetty/oxauth/custom/libs/twilio.jar ]; then - mkdir -p /opt/gluu/jetty/oxauth/custom/libs - mv /usr/share/java/twilio.jar /opt/gluu/jetty/oxauth/custom/libs/twilio.jar + if [ ! -f /opt/jans/jetty/jans-auth/custom/libs/twilio.jar ]; then + mkdir -p /opt/jans/jetty/jans-auth/custom/libs + # mv /usr/share/java/twilio.jar /opt/jans/jetty/jans-auth/custom/libs/twilio.jar + cp /usr/share/java/twilio.jar /opt/jans/jetty/jans-auth/custom/libs/twilio.jar fi # move jsmpp lib - if [ ! -f /opt/gluu/jetty/oxauth/custom/libs/jsmpp.jar ]; then - mkdir -p /opt/gluu/jetty/oxauth/custom/libs - mv /usr/share/java/jsmpp.jar /opt/gluu/jetty/oxauth/custom/libs/jsmpp.jar + if [ ! -f /opt/jans/jetty/jans-auth/custom/libs/jsmpp.jar ]; then + mkdir -p /opt/jans/jetty/jans-auth/custom/libs + # mv /usr/share/java/jsmpp.jar /opt/jans/jetty/jans-auth/custom/libs/jsmpp.jar + cp /usr/share/java/jsmpp.jar /opt/jans/jetty/jans-auth/custom/libs/jsmpp.jar fi } @@ -37,7 +39,7 @@ move_builtin_jars python3 /app/scripts/wait.py if [ ! -f /deploy/touched ]; then - python3 /app/scripts/entrypoint.py + python3 /app/scripts/bootstrap.py touch /deploy/touched fi @@ -46,18 +48,18 @@ python3 /app/scripts/jca_sync.py & python3 /app/scripts/mod_context.py # run oxAuth server -cd /opt/gluu/jetty/oxauth +cd /opt/jans/jetty/jans-auth mkdir -p /opt/jetty/temp exec java \ -server \ -XX:+DisableExplicitGC \ -XX:+UseContainerSupport \ - -XX:MaxRAMPercentage=$JANS_MAX_RAM_PERCENTAGE \ - -Dgluu.base=/etc/gluu \ - -Dserver.base=/opt/gluu/jetty/oxauth \ - -Dlog.base=/opt/gluu/jetty/oxauth \ + -XX:MaxRAMPercentage=$CN_MAX_RAM_PERCENTAGE \ + -Djans.base=/etc/jans \ + -Dserver.base=/opt/jans/jetty/jans-auth \ + -Dlog.base=/opt/jans/jetty/jans-auth \ -Dpython.home=/opt/jython \ -Djava.io.tmpdir=/opt/jetty/temp \ $(get_debug_opt) \ - ${JANS_JAVA_OPTIONS} \ + ${CN_JAVA_OPTIONS} \ -jar /opt/jetty/start.jar diff --git a/scripts/healthcheck.py b/scripts/healthcheck.py index 369be395..93fce2fd 100644 --- a/scripts/healthcheck.py +++ b/scripts/healthcheck.py @@ -4,7 +4,7 @@ def main(): - req = requests.get("http://0.0.0.0:8080/oxauth/restv1/health-check") + req = requests.get("http://0.0.0.0:8080/jans-auth/sys/health-check") if not req.ok: sys.exit(1) diff --git a/scripts/jca_sync.py b/scripts/jca_sync.py index 96629b63..d029bc17 100644 --- a/scripts/jca_sync.py +++ b/scripts/jca_sync.py @@ -8,7 +8,7 @@ from jans.pycloudlib.document import RClone ROOT_DIR = "/repository/default" -SYNC_DIR = "/opt/gluu/jetty/oxauth/custom" +SYNC_DIR = "/opt/jans/jetty/jans-auth/custom" logging.config.dictConfig(LOGGING_CONFIG) logger = logging.getLogger("webdav") @@ -40,10 +40,10 @@ def sync_to_webdav(url, username, password): def get_sync_interval(): default = 5 * 60 # 5 minutes - if "JANS_JCA_SYNC_INTERVAL" in os.environ: - env_name = "JANS_JCA_SYNC_INTERVAL" + if "CN_JCA_SYNC_INTERVAL" in os.environ: + env_name = "CN_JCA_SYNC_INTERVAL" else: - env_name = "JANS_JACKRABBIT_SYNC_INTERVAL" + env_name = "CN_JACKRABBIT_SYNC_INTERVAL" try: interval = int(os.environ.get(env_name, default)) @@ -53,25 +53,25 @@ def get_sync_interval(): def get_jackrabbit_url(): - if "JANS_JCA_URL" in os.environ: - return os.environ["JANS_JCA_URL"] - return os.environ.get("JANS_JACKRABBIT_URL", "http://localhost:8080") + if "CN_JCA_URL" in os.environ: + return os.environ["CN_JCA_URL"] + return os.environ.get("CN_JACKRABBIT_URL", "http://localhost:8080") def main(): - store_type = os.environ.get("JANS_DOCUMENT_STORE_TYPE", "LOCAL") + store_type = os.environ.get("CN_DOCUMENT_STORE_TYPE", "LOCAL") if store_type != "JCA": logger.warning(f"Using {store_type} document store; sync is disabled ...") return url = get_jackrabbit_url() - username = os.environ.get("JANS_JACKRABBIT_ADMIN_ID", "admin") + username = os.environ.get("CN_JACKRABBIT_ADMIN_ID", "admin") password = "" password_file = os.environ.get( - "JANS_JACKRABBIT_ADMIN_PASSWORD_FILE", - "/etc/gluu/conf/jackrabbit_admin_password", + "CN_JACKRABBIT_ADMIN_PASSWORD_FILE", + "/etc/jans/conf/jackrabbit_admin_password", ) with contextlib.suppress(FileNotFoundError): with open(password_file) as f: diff --git a/scripts/jks_sync.py b/scripts/jks_sync.py index 875784d9..b00a4b7a 100644 --- a/scripts/jks_sync.py +++ b/scripts/jks_sync.py @@ -16,12 +16,12 @@ def jks_created(): - manager.secret.to_file("oxauth_jks_base64", "/etc/certs/oxauth-keys.jks", decode=True, binary_mode=True) + manager.secret.to_file("oxauth_jks_base64", "/etc/certs/auth-server-keys.jks", decode=True, binary_mode=True) return True def jwks_created(): - with open("/etc/certs/oxauth-keys.json", "w") as f: + with open("/etc/certs/auth-server-keys.json", "w") as f: f.write(base64.b64decode( manager.secret.get("oxauth_openid_key_base64") ).decode()) @@ -45,28 +45,28 @@ def should_sync_jks(): def sync_jks(): if jks_created(): - logger.info("oxauth-keys.jks has been synchronized") + logger.info("auth-server-keys.jks has been synchronized") return True return False def sync_jwks(): if jwks_created(): - logger.info("oxauth-keys.json has been synchronized") + logger.info("auth-server-keys.json has been synchronized") return True return False def main(): sync_enabled = as_boolean( - os.environ.get("JANS_SYNC_JKS_ENABLED", False) + os.environ.get("CN_SYNC_JKS_ENABLED", False) ) if not sync_enabled: logger.warning("JKS sync is disabled") return # delay between JKS sync (in seconds) - sync_interval = os.environ.get("JANS_SYNC_JKS_INTERVAL", 30) + sync_interval = os.environ.get("CN_SYNC_JKS_INTERVAL", 30) try: sync_interval = int(sync_interval) diff --git a/scripts/mod_context.py b/scripts/mod_context.py index 231c5bbb..801b427b 100644 --- a/scripts/mod_context.py +++ b/scripts/mod_context.py @@ -1,8 +1,8 @@ import glob -def modify_oxauth_xml(): - fn = "/opt/gluu/jetty/oxauth/webapps/oxauth.xml" +def modify_auth_server_xml(): + fn = "/opt/jans/jetty/jans-auth/webapps/jans-auth.xml" with open(fn) as f: txt = f.read() @@ -10,12 +10,12 @@ def modify_oxauth_xml(): with open(fn, "w") as f: ctx = { "extra_classpath": ",".join([ - j.replace("/opt/gluu/jetty/oxauth", ".") - for j in glob.iglob("/opt/gluu/jetty/oxauth/custom/libs/*.jar") + j.replace("/opt/jans/jetty/jans-auth", ".") + for j in glob.iglob("/opt/jans/jetty/jans-auth/custom/libs/*.jar") ]) } f.write(txt % ctx) if __name__ == "__main__": - modify_oxauth_xml() + modify_auth_server_xml() diff --git a/scripts/wait.py b/scripts/wait.py index 610e24c5..0ccdeec0 100644 --- a/scripts/wait.py +++ b/scripts/wait.py @@ -14,10 +14,10 @@ def main(): - persistence_type = os.environ.get("JANS_PERSISTENCE_TYPE", "ldap") + persistence_type = os.environ.get("CN_PERSISTENCE_TYPE", "ldap") validate_persistence_type(persistence_type) - ldap_mapping = os.environ.get("JANS_PERSISTENCE_LDAP_MAPPING", "default") + ldap_mapping = os.environ.get("CN_PERSISTENCE_LDAP_MAPPING", "default") validate_persistence_ldap_mapping(persistence_type, ldap_mapping) manager = get_manager()