# # Copyright © 2021,2022 IsardVDI S.L. # # This file is part of DD # # DD is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or (at your # option) any later version. # # DD is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more # details. # # You should have received a copy of the GNU Affero General Public License # along with DD. If not, see . # # SPDX-License-Identifier: AGPL-3.0-or-later import json import logging as log import os import pprint import random import string import time import traceback from datetime import datetime, timedelta import psycopg2 import yaml from admin.lib.keycloak_client import KeycloakClient from admin.lib.mysql import Mysql app = {} app["config"] = {} nickname_script=""" var Output = user.getFirstName()+" "+user.getLastName(); Output; """ class WordpressSaml: def __init__(self): self.url = "http://dd-sso-keycloak:8080/auth/" self.username = os.environ["KEYCLOAK_USER"] self.password = os.environ["KEYCLOAK_PASSWORD"] self.realm = "master" self.verify = True ready = False while not ready: try: self.db = Mysql( "dd-apps-mariadb", "wordpress", os.environ["WORDPRESS_MARIADB_USER"], os.environ["WORDPRESS_MARIADB_PASSWORD"], ) ready = True except: log.warning("Could not connect to wordpress database. Retrying...") time.sleep(2) log.info("Connected to wordpress database.") basepath = os.path.dirname(__file__) ready = False while not ready: try: with open( os.path.abspath( os.path.join(basepath, "../saml_certs/wordpress.crt") ), "r", ) as crt: app["config"]["PUBLIC_CERT_RAW"] = crt.read() app["config"]["PUBLIC_CERT"] = self.cert_prepare( app["config"]["PUBLIC_CERT_RAW"] ) ready = True except IOError: log.warning( "Could not get public certificate to be used in wordpress. Retrying..." ) log.warning( " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" ) time.sleep(2) except: log.error(traceback.format_exc()) log.info("Got moodle srt certificate to be used in wordpress.") ready = False while not ready: try: with open( os.path.abspath( os.path.join(basepath, "../saml_certs/wordpress.key") ), "r", ) as pem: app["config"]["PRIVATE_KEY"] = self.cert_prepare(pem.read()) ready = True except IOError: log.warning( "Could not get private key to be used in wordpress. Retrying..." ) log.warning( " You should generate them: /admin/saml_certs # openssl req -nodes -new -x509 -keyout private.key -out public.cert" ) time.sleep(2) log.info("Got moodle pem certificate to be used in wordpress.") # ## This seems related to the fact that the certificate generated the first time does'nt work. # ## And when regenerating the certificate de privatekeypass seems not to be used and instead it # ## will use always this code as filename: 0f635d0e0f3874fff8b581c132e6c7a7 # ## As this bug I'm not able to solve, the process is: # ## 1.- Bring up moodle and regenerate certificates on saml2 plugin in plugins-authentication # ## 2.- Execute this script # ## 3.- Cleanup all caches in moodle (Development tab) # # with open(os.path.join("./moodledata/saml2/"+os.environ['NEXTCLOUD_SAML_PRIVATEKEYPASS'].replace("moodle."+os.environ['DOMAIN'],'')+'.idp.xml'),"w") as xml: # # xml.write(self.parse_idp_metadata()) # with open(os.path.join("./moodledata/saml2/0f635d0e0f3874fff8b581c132e6c7a7.idp.xml"),"w") as xml: # xml.write(self.parse_idp_metadata()) try: self.reset_saml() except: print(traceback.format_exc()) print("Error resetting saml on wordpress") try: self.delete_keycloak_wordpress_saml_plugin() except: print("Error resetting saml on keycloak") try: self.set_wordpress_saml_plugin() except: print(traceback.format_exc()) print("Error adding saml on wordpress") try: self.add_keycloak_wordpress_saml() except: print("Error adding saml on keycloak") # SAML clients don't work well with composite roles so disabling and adding on realm # self.add_client_roles() def connect(self): self.keycloak = KeycloakClient( url=self.url, username=self.username, password=self.password, realm=self.realm, verify=self.verify, ) # def activate_saml_plugin(self): # ## After you need to purge moodle caches: /var/www/html # php admin/cli/purge_caches.php # return self.db.update("""UPDATE "mdl_config" SET value = 'email,saml2' WHERE "name" = 'auth'""") # def get_privatekey_pass(self): # return self.db.select("""SELECT * FROM "mdl_config" WHERE "name" = 'siteidentifier'""")[0][2] def cert_prepare(self, cert): return "".join(cert.split("-----")[2].splitlines()) def parse_idp_cert(self): self.connect() rsa = self.keycloak.get_server_rsa_key() self.keycloak = None return rsa["certificate"] def set_keycloak_wordpress_saml_plugin(self): self.connect() self.keycloak.add_wordpress_client() self.keycloak = None def delete_keycloak_wordpress_saml_plugin(self): self.connect() self.keycloak.delete_client("630601f8-25d1-4822-8741-c93affd2cd84") self.keycloak = None def set_wordpress_saml_plugin(self): # ('active_plugins', 'a:2:{i:0;s:33:\"edwiser-bridge/edwiser-bridge.php\";i:1;s:17:\"onelogin_saml.php\";}', 'yes'), self.db.update( """INSERT INTO wp_options (option_name, option_value, autoload) VALUES ('onelogin_saml_enabled', 'on', 'yes'), ('onelogin_saml_idp_entityid', 'Saml Login', 'yes'), ('onelogin_saml_idp_sso', 'https://sso.%s/auth/realms/master/protocol/saml', 'yes'), ('onelogin_saml_idp_slo', 'https://sso.%s/auth/realms/master/protocol/saml', 'yes'), ('onelogin_saml_idp_x509cert', '%s', 'yes'), ('onelogin_saml_autocreate', 'on', 'yes'), ('onelogin_saml_updateuser', 'on', 'yes'), ('onelogin_saml_forcelogin', 'on', 'yes'), ('onelogin_saml_slo', 'on', 'yes'), ('onelogin_saml_keep_local_login', '', 'yes'), ('onelogin_saml_alternative_acs', '', 'yes'), ('onelogin_saml_account_matcher', 'username', 'yes'), ('onelogin_saml_trigger_login_hook', '', 'yes'), ('onelogin_saml_multirole', '', 'yes'), ('onelogin_saml_trusted_url_domains', '', 'yes'), ('onelogin_saml_attr_mapping_username', 'username', 'yes'), ('onelogin_saml_attr_mapping_mail', 'email', 'yes'), ('onelogin_saml_attr_mapping_firstname', 'givenName', 'yes'), ('onelogin_saml_attr_mapping_lastname', 'sn', 'yes'), ('onelogin_saml_attr_mapping_nickname', '', 'yes'), ('onelogin_saml_attr_mapping_role', 'Role', 'yes'), ('onelogin_saml_attr_mapping_rememberme', '', 'yes'), ('onelogin_saml_role_mapping_administrator', 'admin', 'yes'), ('onelogin_saml_role_mapping_editor', 'manager', 'yes'), ('onelogin_saml_role_mapping_author', 'coursecreator', 'yes'), ('onelogin_saml_role_mapping_contributor', 'teacher', 'yes'), ('onelogin_saml_role_mapping_subscriber', '', 'yes'), ('onelogin_saml_role_mapping_multivalued_in_one_attribute_value', 'on', 'yes'), ('onelogin_saml_role_mapping_multivalued_pattern', '', 'yes'), ('onelogin_saml_role_order_administrator', '', 'yes'), ('onelogin_saml_role_order_editor', '', 'yes'), ('onelogin_saml_role_order_author', '', 'yes'), ('onelogin_saml_role_order_contributor', '', 'yes'), ('onelogin_saml_role_order_subscriber', '', 'yes'), ('onelogin_saml_customize_action_prevent_local_login', '', 'yes'), ('onelogin_saml_customize_action_prevent_reset_password', '', 'yes'), ('onelogin_saml_customize_action_prevent_change_password', '', 'yes'), ('onelogin_saml_customize_action_prevent_change_mail', '', 'yes'), ('onelogin_saml_customize_stay_in_wordpress_after_slo', 'on', 'yes'), ('onelogin_saml_customize_links_user_registration', '', 'yes'), ('onelogin_saml_customize_links_lost_password', '', 'yes'), ('onelogin_saml_customize_links_saml_login', '', 'yes'), ('onelogin_saml_advanced_settings_debug', '', 'yes'), ('onelogin_saml_advanced_settings_strict_mode', '', 'yes'), ('onelogin_saml_advanced_settings_sp_entity_id', '', 'yes'), ('onelogin_saml_advanced_idp_lowercase_url_encoding', '', 'yes'), ('onelogin_saml_advanced_settings_nameid_encrypted', '', 'yes'), ('onelogin_saml_advanced_settings_authn_request_signed', 'on', 'yes'), ('onelogin_saml_advanced_settings_logout_request_signed', 'on', 'yes'), ('onelogin_saml_advanced_settings_logout_response_signed', 'on', 'yes'), ('onelogin_saml_advanced_settings_want_message_signed', '', 'yes'), ('onelogin_saml_advanced_settings_want_assertion_signed', '', 'yes'), ('onelogin_saml_advanced_settings_want_assertion_encrypted', '', 'yes'), ('onelogin_saml_advanced_settings_retrieve_parameters_from_server', '', 'yes'), ('onelogin_saml_advanced_nameidformat', 'unspecified', 'yes'), ('onelogin_saml_advanced_requestedauthncontext', '', 'yes'), ('onelogin_saml_advanced_settings_sp_x509cert', '%s', 'yes'), ('onelogin_saml_advanced_settings_sp_privatekey', '%s', 'yes'), ('onelogin_saml_advanced_signaturealgorithm', 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', 'yes'), ('onelogin_saml_advanced_digestalgorithm', 'http://www.w3.org/2000/09/xmldsig#sha1', 'yes');""" % ( os.environ["DOMAIN"], os.environ["DOMAIN"], self.parse_idp_cert(), app["config"]["PUBLIC_CERT"], app["config"]["PRIVATE_KEY"], ) ) def reset_saml(self): self.db.update( """DELETE FROM wp_options WHERE option_name LIKE 'onelogin_saml_%'""" ) def add_keycloak_wordpress_saml(self): client = { "id": "630601f8-25d1-4822-8741-c93affd2cd84", "clientId": "php-saml", "surrogateAuthRequired": False, "enabled": True, "alwaysDisplayInConsole": False, "clientAuthenticatorType": "client-secret", "redirectUris": [ "/realms/master/account/*", f"https://wp.{os.environ['DOMAIN']}/wp-login.php?saml_acs", f"https://wp.{os.environ['DOMAIN']}/*", ], "webOrigins": [f"https://wp.{os.environ['DOMAIN']}"], "notBefore": 0, "bearerOnly": False, "consentRequired": False, "standardFlowEnabled": True, "implicitFlowEnabled": False, "directAccessGrantsEnabled": False, "serviceAccountsEnabled": False, "publicClient": False, "frontchannelLogout": True, "protocol": "saml", "attributes": { "saml.force.post.binding": True, "saml_assertion_consumer_url_post": "https://wp." + os.environ["DOMAIN"] + "/wp-login.php?saml_acs", "saml.server.signature": True, "saml.server.signature.keyinfo.ext": False, "saml.signing.certificate": app["config"]["PUBLIC_CERT_RAW"], "saml_single_logout_service_url_redirect": "https://wp." + os.environ["DOMAIN"] + "/wp-login.php?saml_sls", "saml.signature.algorithm": "RSA_SHA256", "saml_force_name_id_format": False, "saml.client.signature": True, "saml.authnstatement": True, "saml_name_id_format": "username", "saml_signature_canonicalization_method": "http://www.w3.org/2001/10/xml-exc-c14n#", }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": True, "nodeReRegistrationTimeout": -1, "protocolMappers": [ { "id": "72c6175e-bd07-4c27-abd6-4e4ae38d834b", "name": "username", "protocol": "saml", "protocolMapper": "saml-user-attribute-mapper", "consentRequired": False, "config": { "attribute.nameformat": "Basic", "user.attribute": "username", "friendly.name": "username", "attribute.name": "username", }, }, { "id": "abd6562f-4732-4da9-987f-b1a6ad6605fa", "name": "roles", "protocol": "saml", "protocolMapper": "saml-role-list-mapper", "consentRequired": False, "config": { "single": True, "attribute.nameformat": "Basic", "friendly.name": "Roles", "attribute.name": "Role", }, }, { "id": "50aafb71-d91c-4bc7-bb60-e1ae0222aab3", "name": "email", "protocol": "saml", "protocolMapper": "saml-user-property-mapper", "consentRequired": False, "config": { "attribute.nameformat": "Basic", "user.attribute": "email", "friendly.name": "email", "attribute.name": "email", }, }, { "id": "b1befc6b-580f-4065-804c-b45d23a1af5d", "name": "nickname", "protocol": "saml", "protocolMapper": "saml-javascript-mapper", "consentRequired": False, "config": { "single": True, "Script": nickname_script, "attribute.nameformat": "Basic", "friendly.name": "nickname", "attribute.name": "nickname", }, }, ], "defaultClientScopes": [ "web-origins", "role_list", "roles", "profile", "email", ], "optionalClientScopes": [ "address", "phone", "offline_access", "microprofile-jwt", ], "access": {"view": True, "configure": True, "manage": True}, } self.connect() self.keycloak.add_client(client) self.keycloak = None def add_client_roles(self): self.connect() self.keycloak.add_client_role( "630601f8-25d1-4822-8741-c93affd2cd84", "admin", "Wordpress admins" ) self.keycloak.add_client_role( "630601f8-25d1-4822-8741-c93affd2cd84", "manager", "Wordpress managers" ) self.keycloak.add_client_role( "630601f8-25d1-4822-8741-c93affd2cd84", "teacher", "Wordpress teachers" ) self.keycloak.add_client_role( "630601f8-25d1-4822-8741-c93affd2cd84", "student", "Wordpress students" ) self.keycloak = None nw = WordpressSaml()