Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(jans-linux-setup): put KC behind apache #7092

Merged
merged 1 commit into from
Dec 14, 2023
Merged

feat(jans-linux-setup): put KC behind apache #7092

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
feat(jans-linux-setup): put KC behind apache 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
  • Loading branch information
@devrimyatar
devrimyatar committed Dec 13, 2023
commit 94e5d66cd53048cebe2b5641d72f69f640f8cc65
13 changes: 6 additions & 7 deletions jans-linux-setup/jans_setup/setup_app/installers/jans_saml.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@

# Config
Config.idp_config_http_port = '8083'
Config.idp_config_hostname = 'localhost'
Config.jans_idp_enabled = 'true'
Config.jans_idp_realm = 'jans-api'
Config.jans_idp_client_id = f'jans-api-{uuid.uuid4()}'
Expand All @@ -29,10 +28,6 @@
Config.jans_idp_ignore_validation = 'true'
Config.jans_idp_idp_metadata_file = 'idp-metadata.xml'

# change this when we figure out this
Config.keycloack_hostname = 'localhost'


class JansSamlInstaller(JettyInstaller):

install_var = 'install_jans_saml'
Expand Down Expand Up @@ -84,6 +79,10 @@ def __init__(self):
Config.jans_idp_sp_metadata_root_dir = os.path.join(self.idp_config_root_dir, 'sp/metadata')
Config.jans_idp_sp_metadata_temp_dir = os.path.join(self.idp_config_root_dir, 'sp/temp_metadata')

Config.idp_config_hostname = Config.hostname
Config.keycloack_hostname = Config.hostname


def install(self):
"""installation steps"""
self.create_scim_client()
Expand Down Expand Up @@ -188,7 +187,7 @@ def config_api_idp_plugin_config(self):
time.sleep(5)
try:
self.logIt("Connecting KC")
s.connect((Config.idp_config_hostname, int(Config.idp_config_http_port)))
s.connect(('localhost', int(Config.idp_config_http_port)))
self.logIt("Successfully connected to KC")
break
except Exception:
Expand All @@ -197,7 +196,7 @@ def config_api_idp_plugin_config(self):
self.logIt("KC did not start in 120 seconds. Giving up configuration", errorLog=True, fatal=True)

kcadm_cmd = '/opt/keycloak/bin/kcadm.sh'
kcm_server_url = f'http://{Config.idp_config_hostname}:{Config.idp_config_http_port}/'
kcm_server_url = f'http://localhost:{Config.idp_config_http_port}/kc'
env = {'JAVA_HOME': Config.jre_home}

with tempfile.TemporaryDirectory() as tmp_dir:
Expand Down
1 change: 0 additions & 1 deletion jans-linux-setup/jans_setup/setup_app/utils/collect_properties.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,6 @@ def collect(self):
('jans_idp_ignore_validation', 'ignoreValidation')
):
if json_prop in jans_idp_config:
print("Exsits", json_prop, jans_idp_config[json_prop])
setattr(Config, config_var, jans_idp_config[json_prop])


Expand Down
3 changes: 2 additions & 1 deletion jans-linux-setup/jans_setup/static/system/systemd/kc.service
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ Type=simple
Environment="JAVA_HOME=%(jre_home)s"
Environment="KEYCLOAK_ADMIN=admin"
Environment="KEYCLOAK_ADMIN_PASSWORD=admin"
ExecStart=%(idp_config_data_dir)s/bin/kc.sh start-dev --http-port %(idp_config_http_port)s --log="console,file" --log-file="%(idp_config_data_dir)s/logs/keycloak.log" -Dlog.base="%(idp_config_data_dir)s/logs/%(service_name)s.log" -Djans.config.prop.path="%(idp_config_providers_dir)s"
ExecStart=%(idp_config_data_dir)s/bin/kc.sh start-dev --log="console,file" --proxy edge --hostname=%(hostname)s --hostname-admin=%(hostname)s --hostname-path=/kc --hostname-strict-https=true --http-enabled=true --http-relative-path=/kc --http-host=127.0.0.1 --http-port=%(idp_config_http_port)s --log="console,file" --log-file="%(idp_config_data_dir)s/logs/keycloak.log" -Dlog.base="%(idp_config_data_dir)s/logs/%(service_name)s.log" -Djans.config.prop.path="%(idp_config_providers_dir)s"

User=jetty
Group=jetty

Expand Down
15 changes: 13 additions & 2 deletions jans-linux-setup/jans_setup/templates/apache/https_jans.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,7 @@
Header always set X-Content-Type-Options nosniff
# Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' https://%(hostname)s"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

# Unset X-ClientCert to make sure that we not get certificate in request
Expand Down Expand Up @@ -62,37 +61,43 @@
</Proxy>

<Location /jans-scim>
Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
ProxyPass http://localhost:8087/jans-scim retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>

<Location /jans-fido2>
Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
ProxyPass http://localhost:8073/jans-fido2 retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>

<Location /jans-auth>
Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
ProxyPass http://localhost:8081/jans-auth retry=5 connectiontimeout=60 timeout=60
# Header set Access-Control-Allow-Origin "*"
Order deny,allow
Allow from all
</Location>

<Location /jans-config-api>
Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
ProxyPass http://localhost:8074/jans-config-api retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>

<Location /jans-eleven>
Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
ProxyPass http://localhost:8075/jans-eleven retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>

<Location /jans-casa>
Header edit Set-Cookie ^((?!opbs|session_state).*)$ $1;HttpOnly
ProxyPass http://localhost:%(casa_web_port)s/jans-casa retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
Expand All @@ -107,6 +112,12 @@
RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s
</LocationMatch>

<Location /kc>
ProxyPass http://localhost:8083/kc retry=5 connectiontimeout=60 timeout=60
Order deny,allow
Allow from all
</Location>

ProxyPass /.well-known/openid-configuration http://localhost:8081/jans-auth/.well-known/openid-configuration
ProxyPass /.well-known/webfinger http://localhost:8081/jans-auth/.well-known/webfinger
ProxyPass /.well-known/uma2-configuration http://localhost:8081/jans-auth/restv1/uma2-configuration
Expand Down
2 changes: 1 addition & 1 deletion jans-linux-setup/jans_setup/templates/jans-saml/jans-saml-config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"trustedIdpDn":"ou=trusted-idp,o=jans",
"enabled": "true",
"selectedIdp": "keycloak",
"serverUrl":"https://${keycloack_hostname}",
"serverUrl":"https://${keycloack_hostname}/kc",
"realm": "${jans_idp_realm}",
"clientId": "${jans_idp_client_id}",
"clientSecret": "${jans_idp_client_secret}",
Expand Down