Search in sources :

Example 6 with RoleAssignmentEntry

use of com.emc.storageos.model.auth.RoleAssignmentEntry in project coprhd-controller by CoprHD.

the class RoleAssignmentUtils method addRootUserIfRequired.

private static void addRootUserIfRequired(List<RoleAssignmentEntry> roleAssignmentEntries) {
    RoleAssignmentEntry rootRoleAssignmentEntry = null;
    for (RoleAssignmentEntry roleAssignmentEntry : roleAssignmentEntries) {
        if (StringUtils.equalsIgnoreCase(ROOT_USERNAME, roleAssignmentEntry.getSubjectId())) {
            rootRoleAssignmentEntry = roleAssignmentEntry;
            break;
        }
    }
    if (rootRoleAssignmentEntry == null) {
        rootRoleAssignmentEntry = new RoleAssignmentEntry();
        rootRoleAssignmentEntry.setSubjectId(ROOT_USERNAME);
        roleAssignmentEntries.add(rootRoleAssignmentEntry);
    }
    rootRoleAssignmentEntry.getRoles().add(Security.SYSTEM_ADMIN);
    rootRoleAssignmentEntry.getRoles().add(Security.SYSTEM_MONITOR);
    rootRoleAssignmentEntry.getRoles().add(Security.SYSTEM_AUDITOR);
    rootRoleAssignmentEntry.getRoles().add(Security.SECURITY_ADMIN);
}
Also used : RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry)

Example 7 with RoleAssignmentEntry

use of com.emc.storageos.model.auth.RoleAssignmentEntry in project coprhd-controller by CoprHD.

the class RoleAssignmentUtils method getVDCRoleAssignments.

public static List<RoleAssignmentEntry> getVDCRoleAssignments() {
    List<RoleAssignmentEntry> allRollAssignments = Lists.newArrayList();
    if (Security.isSecurityAdminOrRestrictedSecurityAdmin()) {
        for (RoleAssignmentEntry vdcRoleAssignment : getViprClient().vdc().getRoleAssignments()) {
            boolean found = false;
            for (RoleAssignmentEntry roleAssignment : allRollAssignments) {
                if (isSameRoleAssignmentEntry(roleAssignment, vdcRoleAssignment)) {
                    roleAssignment.getRoles().addAll(vdcRoleAssignment.getRoles());
                    found = true;
                    break;
                }
            }
            if (found == false) {
                allRollAssignments.add(vdcRoleAssignment);
            }
        }
    }
    addRootUserIfRequired(allRollAssignments);
    return allRollAssignments;
}
Also used : RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry)

Example 8 with RoleAssignmentEntry

use of com.emc.storageos.model.auth.RoleAssignmentEntry in project coprhd-controller by CoprHD.

the class RoleAssignmentUtils method createRoleAssignmentEntry.

public static RoleAssignmentEntry createRoleAssignmentEntry(RoleAssignmentType type, String name, String role) {
    RoleAssignmentEntry roleAssignmentEntry = new RoleAssignmentEntry();
    if (RoleAssignmentType.USER.equals(type)) {
        roleAssignmentEntry.setSubjectId(name);
    } else if (RoleAssignmentType.GROUP.equals(type)) {
        roleAssignmentEntry.setGroup(name);
    }
    roleAssignmentEntry.getRoles().add(role);
    return roleAssignmentEntry;
}
Also used : RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry)

Example 9 with RoleAssignmentEntry

use of com.emc.storageos.model.auth.RoleAssignmentEntry in project coprhd-controller by CoprHD.

the class AuthSvcTests method runProxyTokenExpiryTest.

private void runProxyTokenExpiryTest() throws Exception {
    try {
        String timeToWaitInMinsStr = System.getenv("TIME_TO_WAIT_IN_MINUTES_SET_IN_SECURITY_MODULE_XML");
        int timeToWaitInMinutes = Integer.parseInt(timeToWaitInMinsStr);
    } catch (Exception e) {
        timeToWaitInMinutes = 1;
    }
    WebResource rRoot = createHttpsClient(SYSADMIN, SYSADMIN_PASS_WORD, true).resource(baseAuthServiceURL);
    rRoot.path("/login").get(ClientResponse.class);
    // post authProvider
    updateADConfig();
    // login with a user from ldap
    WebResource rSanityUser = createHttpsClient(ROOTUSER, AD_PASS_WORD, true).resource(baseAuthServiceURL);
    rSanityUser.path("/login").get(ClientResponse.class);
    TenantResponse tenant = rSanityUser.path("/tenant").get(TenantResponse.class);
    // make the user a tenant_admin
    RoleAssignmentChanges changes = new RoleAssignmentChanges();
    RoleAssignmentEntry addTenantAdmin = new RoleAssignmentEntry();
    addTenantAdmin.setSubjectId(ROOTUSER);
    addTenantAdmin.getRoles().add("TENANT_ADMIN");
    changes.setAdd(new ArrayList<RoleAssignmentEntry>());
    changes.getAdd().add(addTenantAdmin);
    rRoot.path("/tenants/" + tenant.getTenant() + "/role-assignments").put(changes);
    // create a proxy token for that user
    ClientResponse resp = rSanityUser.path("/proxytoken").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    String proxyToken = (String) _savedProxyTokens.get(ROOTUSER);
    Assert.assertNotNull(proxyToken);
    // logon with proxyuser
    WebResource rProxy = createHttpsClient(PROXY_USER, PROXY_USER_PWD, true).resource(baseApiServiceURL);
    rProxy.path("/login").get(ClientResponse.class);
    // try to get sanity user's tenant as proxy user with proxy token
    // should get a 200
    resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    // wait x amount of time for token to expire
    Thread.sleep(timeToWaitInMinutes * 60 * 1000);
    // try to get sanity user's tenant as proxy user with proxy token
    // should get a 200 again
    resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    // do a put on the authprovider so it is disabled
    AuthnUpdateParam updateParam = new AuthnUpdateParam();
    updateParam.setDisable(true);
    rRoot.path("/vdc/admin/authnproviders/" + _goodADConfig).put(updateParam);
    // wait x amount of time for token to expire
    Thread.sleep(timeToWaitInMinutes * 60 * 1000);
    // try to get the tenant with proxy user using the proxy token
    // should fail with a 401
    resp = rProxy.path("/tenants/" + tenant.getTenant()).header(AUTH_PROXY_TOKEN_HEADER, proxyToken).get(ClientResponse.class);
    Assert.assertEquals(401, resp.getStatus());
}
Also used : AuthnUpdateParam(com.emc.storageos.model.auth.AuthnUpdateParam) RoleAssignmentChanges(com.emc.storageos.model.auth.RoleAssignmentChanges) RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry) TenantResponse(com.emc.storageos.model.tenant.TenantResponse) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 10 with RoleAssignmentEntry

use of com.emc.storageos.model.auth.RoleAssignmentEntry in project coprhd-controller by CoprHD.

the class RoleChangeTest method tenantAdmin.

/**
 * verify TenantAdmin can do something: list RoleAssignment, whoami, create project
 */
@Test
public void tenantAdmin() throws Exception {
    // assign Provider Tenant's Tenant admin to AD user
    RoleAssignmentEntry roleAssignmentEntry = new RoleAssignmentEntry();
    roleAssignmentEntry.setSubjectId(TENANTADMIN);
    roleAssignmentEntry.setRoles(new ArrayList<String>(Arrays.asList("TENANT_ADMIN")));
    List<RoleAssignmentEntry> add = new ArrayList<RoleAssignmentEntry>();
    add.add(roleAssignmentEntry);
    RoleAssignmentChanges roleAssignmentChanges = new RoleAssignmentChanges();
    roleAssignmentChanges.setAdd(add);
    ClientResponse resp = superSanity.path("/tenants/" + rootTenantId + "/role-assignments").header(AUTH_TOKEN_HEADER, superSanityToken).put(ClientResponse.class, roleAssignmentChanges);
    Assert.assertEquals(200, resp.getStatus());
    // list tenant's role-assignments
    BalancedWebResource tenantAdmin = createHttpsClient(TENANTADMIN, AD_PASS_WORD, baseUrls);
    resp = tenantAdmin.path("/tenants/" + rootTenantId + "/role-assignments").get(ClientResponse.class);
    Assert.assertEquals(200, resp.getStatus());
    String tenantAdminToken = (String) _savedTokens.get(TENANTADMIN);
    // tenantadmin whoami
    UserInfo info = tenantAdmin.path("/user/whoami").get(UserInfo.class);
    Assert.assertEquals(TENANTADMIN, info.getCommonName());
    Assert.assertEquals(0, info.getVdcRoles().size());
    Assert.assertEquals(1, info.getHomeTenantRoles().size());
    Assert.assertEquals(0, info.getSubTenantRoles().size());
    Assert.assertTrue(info.getHomeTenantRoles().contains("TENANT_ADMIN"));
    // create project
    ProjectParam projectParam = new ProjectParam();
    projectParam.setName("project_unittest" + new Random().nextInt());
    resp = tenantAdmin.path("/tenants/" + rootTenantId + "/projects").header(AUTH_TOKEN_HEADER, tenantAdminToken).post(ClientResponse.class, projectParam);
    Assert.assertEquals(200, resp.getStatus());
}
Also used : ClientResponse(com.sun.jersey.api.client.ClientResponse) RoleAssignmentChanges(com.emc.storageos.model.auth.RoleAssignmentChanges) ProjectParam(com.emc.storageos.model.project.ProjectParam) RoleAssignmentEntry(com.emc.storageos.model.auth.RoleAssignmentEntry) UserInfo(com.emc.storageos.model.user.UserInfo) Test(org.junit.Test)

Aggregations

RoleAssignmentEntry (com.emc.storageos.model.auth.RoleAssignmentEntry)16 RoleAssignmentChanges (com.emc.storageos.model.auth.RoleAssignmentChanges)7 ClientResponse (com.sun.jersey.api.client.ClientResponse)5 RoleAssignmentUtils.createRoleAssignmentEntry (util.RoleAssignmentUtils.createRoleAssignmentEntry)4 ArrayList (java.util.ArrayList)3 Test (org.junit.Test)3 AuthnUpdateParam (com.emc.storageos.model.auth.AuthnUpdateParam)2 ProjectParam (com.emc.storageos.model.project.ProjectParam)2 TenantResponse (com.emc.storageos.model.tenant.TenantResponse)2 VirtualArrayList (com.emc.storageos.model.varray.VirtualArrayList)2 Restrictions (controllers.deadbolt.Restrictions)2 FlashException (controllers.util.FlashException)2 RoleAssignmentType (models.RoleAssignmentType)2 TaskResourceRep (com.emc.storageos.model.TaskResourceRep)1 RoleAssignments (com.emc.storageos.model.auth.RoleAssignments)1 TenantCreateParam (com.emc.storageos.model.tenant.TenantCreateParam)1 TenantOrgList (com.emc.storageos.model.tenant.TenantOrgList)1 TenantOrgRestRep (com.emc.storageos.model.tenant.TenantOrgRestRep)1 TenantUpdateParam (com.emc.storageos.model.tenant.TenantUpdateParam)1 UserMappingAttributeParam (com.emc.storageos.model.tenant.UserMappingAttributeParam)1