Example 1 with BasePermissionsHelper
use of com.emc.storageos.security.authorization.BasePermissionsHelper in project coprhd-controller by CoprHD.
the class StorageOSLdapPersonAttributeDao method getStorageOSUserAndTenants.
private UserAndTenants getStorageOSUserAndTenants(String username, ValidationFailureReason[] failureReason, URI tenantURI, List<UserMapping> usermapping) {
BasePermissionsHelper permissionsHelper = new BasePermissionsHelper(_dbClient, false);
final String[] userDomain = username.split("@");
if (userDomain.length < 2) {
_log.error("Illegal username {} missing domain", username);
failureReason[0] = ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT;
return null;
}
final String domain = userDomain[1];
final String ldapQuery = LdapFilterUtil.getPersonFilterWithValues(_filter, username);
if (ldapQuery == null) {
_log.error("Null query filter from string {} for username", _filter, username);
failureReason[0] = ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT;
return null;
}
StringSet authnProviderDomains = getAuthnProviderDomains(domain);
List<String> attrs = new ArrayList<String>();
Map<URI, List<UserMapping>> tenantToMappingMap = permissionsHelper.getAllUserMappingsForDomain(authnProviderDomains);
if (_searchControls.getReturningAttributes() != null) {
Collections.addAll(attrs, _searchControls.getReturningAttributes());
}
if (tenantURI != null) {
tenantToMappingMap.put(tenantURI, usermapping);
}
printTenantToMappingMap(tenantToMappingMap);
// Add attributes that need to be released for tenant mapping
for (List<UserMapping> mappings : tenantToMappingMap.values()) {
if (mappings == null) {
continue;
}
for (UserMapping mapping : mappings) {
if (mapping.getAttributes() != null && !mapping.getAttributes().isEmpty()) {
for (UserMappingAttribute mappingAttribute : mapping.getAttributes()) {
attrs.add(mappingAttribute.getKey());
}
}
}
}
// Now get the returning attributes from the userGroup table.
getReturningAttributesFromUserGroups(permissionsHelper, domain, attrs);
// Create search controls with the additional attributes to return
SearchControls dnSearchControls = new SearchControls(_searchControls.getSearchScope(), _searchControls.getCountLimit(), _searchControls.getTimeLimit(), attrs.toArray(new String[attrs.size()]), _searchControls.getReturningObjFlag(), _searchControls.getDerefLinkFlag());
Map<String, List<String>> userMappingAttributes = new HashMap<String, List<String>>();
StorageOSUserMapper userMapper = new StorageOSUserMapper(username, getDistinguishedNameAttribute(), userMappingAttributes);
// Execute the query
@SuppressWarnings("unchecked") final List<StorageOSUserDAO> storageOSUsers = safeLdapSearch(_baseDN, ldapQuery, dnSearchControls, userMapper, failureReason);
if (null == storageOSUsers) {
_log.error("Query for user {} failed", username);
return null;
}
StorageOSUserDAO storageOSUser = null;
try {
storageOSUser = DataAccessUtils.requiredUniqueResult(storageOSUsers);
if (null == storageOSUser) {
_log.error("Query for user {} yielded no results", username);
failureReason[0] = ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT;
return null;
}
} catch (IncorrectResultSizeDataAccessException ex) {
_log.error("Query for user {} yielded incorrect number of results.", username, ex);
failureReason[0] = ValidationFailureReason.USER_OR_GROUP_NOT_FOUND_FOR_TENANT;
return null;
}
// If the type is AD then fetch the users tokenGroups
if (_type == AuthnProvider.ProvidersType.ad) {
List<String> groups = queryTokenGroups(ldapQuery, storageOSUser);
StringBuilder groupsString = new StringBuilder("[ ");
for (String group : groups) {
groupsString.append(group + " ");
storageOSUser.addGroup(group);
}
groupsString.append("]");
_log.debug("User {} adding groups {}", username, groupsString);
} else {
if (!updateGroupsAndRootGroupsInLDAPByMemberAttribute(storageOSUser, failureReason)) {
// null means Exception has been thrown and error logged already, empty means no group found in LDAP/AD
_log.info("User {} is not in any AD/LDAP groups.", storageOSUser.getDistinguishedName());
}
}
// Add the user's group based on the attributes.
addUserGroupsToUserGroupList(permissionsHelper, domain, storageOSUser);
return new UserAndTenants(storageOSUser, mapUserToTenant(authnProviderDomains, storageOSUser, userMappingAttributes, tenantToMappingMap, failureReason));
}
Also used :
UserMappingAttribute(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)
URI(java.net.URI)
StorageOSUserDAO(com.emc.storageos.db.client.model.StorageOSUserDAO)
UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)
IncorrectResultSizeDataAccessException(org.springframework.dao.IncorrectResultSizeDataAccessException)
StringSet(com.emc.storageos.db.client.model.StringSet)
LdapServerList(com.emc.storageos.auth.impl.LdapServerList)
URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)
SearchControls(javax.naming.directory.SearchControls)
BasePermissionsHelper(com.emc.storageos.security.authorization.BasePermissionsHelper)
Example 2 with BasePermissionsHelper
use of com.emc.storageos.security.authorization.BasePermissionsHelper in project coprhd-controller by CoprHD.
the class VdcControllerTest method setup.
@Before
public void setup() throws Exception {
vdcController = new VdcControllerImpl();
MockCoordinatorClient coordinator = new MockCoordinatorClient();
// setup mock objects for vdc controller test
dbClient = new MockDbClient();
vdcController.setDbClient(dbClient);
InternalApiSignatureKeyGenerator secretKeyGenerator = new InternalApiSignatureKeyGenerator() {
public synchronized void loadKeys() {
}
public SecretKey getSignatureKey(SignatureKeyType type) {
return SignatureHelper.createKey("test", InternalApiSignatureKeyGenerator.CURRENT_INTERVDC_API_SIGN_ALGO);
}
};
clientManager = new MockGeoClientCacheManager(coordinator, secretKeyGenerator);
vdcController.setGeoClientManager(clientManager);
vdcController.setVdcOperationLockHelper(new MockVdcOperationLockHelper());
keystore = KeyStore.getInstance(KeyStore.getDefaultType());
password = "some password".toCharArray();
keystore.load(null, password);
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512, new SecureRandom());
CertAndKeyGen keypair = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
X500Name x500Name = new X500Name("EMC", "EMC", "EMC", "EMC", "MA", "US");
keypair.generate(512);
PrivateKey privKey = keypair.getPrivateKey();
chain = new X509Certificate[1];
chain[0] = keypair.getSelfCertificate(x500Name, new Date(), (long) 365 * 24 * 60 * 60);
keystore.setKeyEntry(KeystoreEngine.ViPR_KEY_AND_CERTIFICATE_ALIAS, privKey, password, chain);
vdcController.setKeystore(keystore);
vdcController.setSignatureGenerator(secretKeyGenerator);
BasePermissionsHelper permissionsHelper = new BasePermissionsHelper(dbClient);
vdcController.setPermissionsHelper(permissionsHelper);
// Setup helper based on mocked db client
VdcConfigHelper helper = new VdcConfigHelper();
helper.setDbClient(dbClient);
helper.setGeoClientCacheManager(clientManager);
helper.setCoordinatorClient(coordinator);
vdcController.setVdcHelper(helper);
VdcUtil.setDbClient(dbClient);
dbClient.buildGeodbData();
}
Also used :
PrivateKey(java.security.PrivateKey)
SecureRandom(java.security.SecureRandom)
VdcControllerImpl(com.emc.storageos.geo.vdccontroller.impl.VdcControllerImpl)
KeyPairGenerator(java.security.KeyPairGenerator)
X500Name(sun.security.x509.X500Name)
Date(java.util.Date)
CertAndKeyGen(sun.security.tools.keytool.CertAndKeyGen)
InternalApiSignatureKeyGenerator(com.emc.storageos.security.authentication.InternalApiSignatureKeyGenerator)
BasePermissionsHelper(com.emc.storageos.security.authorization.BasePermissionsHelper)
VdcConfigHelper(com.emc.storageos.geo.service.impl.util.VdcConfigHelper)
Before(org.junit.Before)
Example 3 with BasePermissionsHelper
use of com.emc.storageos.security.authorization.BasePermissionsHelper in project coprhd-controller by CoprHD.
the class VPlexUtil method lookupVplexProject.
/**
* Lookup the Project assigned to this VPlex for its artifact, using the Vplex nativeGuid
* as the project name. If one is found thatbelongs to the root tenant, it is returned.
* Otherwise the project from the protoVolume is returned.
*
* @protoVolume A volume from the backend array.
* If no Vplex project is found, the proto volume's project is returned.
* @param vplexSystem A StorageSystem instance representing a VPlex.
* @param dbClient A reference to a database client.
*
* @return Project instance (vplex project if created, otherwise protoVolume's project).
*/
public static Project lookupVplexProject(Volume protoVolume, StorageSystem vplexSystem, DbClient dbClient) {
BasePermissionsHelper helper = new BasePermissionsHelper(dbClient);
TenantOrg rootTenant = helper.getRootTenant();
PrefixConstraint constraint = PrefixConstraint.Factory.getLabelPrefixConstraint(Project.class, vplexSystem.getNativeGuid());
URIQueryResultList result = new URIQueryResultList();
dbClient.queryByConstraint(constraint, result);
Iterator<URI> iter = result.iterator();
while (iter.hasNext()) {
Project project = dbClient.queryObject(Project.class, iter.next());
if (project == null || project.getInactive() == true) {
continue;
}
if (project.getLabel().equals(vplexSystem.getNativeGuid()) && project.getTenantOrg().getURI().toString().equals(rootTenant.getId().toString())) {
return project;
}
}
// VPlex project not found. Return on from proto volume.
return dbClient.queryObject(Project.class, protoVolume.getProject().getURI());
}
Also used :
Project(com.emc.storageos.db.client.model.Project)
PrefixConstraint(com.emc.storageos.db.client.constraint.PrefixConstraint)
TenantOrg(com.emc.storageos.db.client.model.TenantOrg)
URI(java.net.URI)
BasePermissionsHelper(com.emc.storageos.security.authorization.BasePermissionsHelper)
URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)
Example 4 with BasePermissionsHelper
use of com.emc.storageos.security.authorization.BasePermissionsHelper in project coprhd-controller by CoprHD.
the class StorageOSLdapPersonAttributeDao method mapUserToTenant.
/**
* Match the user to one and only one tenant if found user there attributes/groups
*
* @param domains
* @param storageOSUser
* @param attributeKeyValuesMap
* @param tenantToMappingMap
*/
private Map<URI, UserMapping> mapUserToTenant(StringSet domains, StorageOSUserDAO storageOSUser, Map<String, List<String>> attributeKeyValuesMap, Map<URI, List<UserMapping>> tenantToMappingMap, ValidationFailureReason[] failureReason) {
Map<URI, UserMapping> tenants = new HashMap<URI, UserMapping>();
if (CollectionUtils.isEmpty(domains)) {
return tenants;
}
List<UserMappingAttribute> userMappingAttributes = new ArrayList<UserMappingAttribute>();
for (Entry<String, List<String>> attributeKeyValues : attributeKeyValuesMap.entrySet()) {
UserMappingAttribute userMappingAttribute = new UserMappingAttribute();
userMappingAttribute.setKey(attributeKeyValues.getKey());
userMappingAttribute.setValues(attributeKeyValues.getValue());
userMappingAttributes.add(userMappingAttribute);
}
List<String> userMappingGroups = new ArrayList<String>();
if (null != storageOSUser.getGroups()) {
for (String group : storageOSUser.getGroups()) {
userMappingGroups.add((group.split("@")[0]).toUpperCase());
_log.debug("Adding user's group {} to usermapping group ", (group.split("@")[0]).toUpperCase());
}
}
for (Entry<URI, List<UserMapping>> tenantToMappingMapEntry : tenantToMappingMap.entrySet()) {
if (tenantToMappingMapEntry == null || tenantToMappingMapEntry.getValue() == null) {
continue;
}
for (String domain : domains) {
for (UserMapping userMapping : tenantToMappingMapEntry.getValue()) {
if (userMapping.isMatch(domain, userMappingAttributes, userMappingGroups)) {
tenants.put(tenantToMappingMapEntry.getKey(), userMapping);
}
}
}
}
// unless the root tenant is restricted by a mapping
if (tenants.isEmpty()) {
BasePermissionsHelper permissionsHelper = new BasePermissionsHelper(_dbClient, false);
TenantOrg rootTenant = permissionsHelper.getRootTenant();
// if yes, means Provider Tenant's user-mapping under modification.
if (tenantToMappingMap.containsKey(rootTenant.getId())) {
List<UserMapping> rootUserMapping = tenantToMappingMap.get(rootTenant.getId());
// if yes, set user map to provider tenant.
if (CollectionUtils.isEmpty(rootUserMapping)) {
_log.debug("User {} did not match a tenant. Assigning to root tenant since root does not have any attribute mappings", storageOSUser.getUserName());
tenants.put(rootTenant.getId(), null);
}
// provider tenant is not in UserMapping parameter, means no change to its user-mapping in this request,
// need to check if its original user-mapping is empty or not.
} else if (rootTenant.getUserMappings() == null || rootTenant.getUserMappings().isEmpty()) {
_log.debug("User {} did not match a tenant. Assigning to root tenant since root does not have any attribute mappings", storageOSUser.getUserName());
tenants.put(rootTenant.getId(), null);
}
}
return tenants;
}
Also used :
UserMappingAttribute(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)
URI(java.net.URI)
UserMapping(com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)
TenantOrg(com.emc.storageos.db.client.model.TenantOrg)
LdapServerList(com.emc.storageos.auth.impl.LdapServerList)
URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)
BasePermissionsHelper(com.emc.storageos.security.authorization.BasePermissionsHelper)
Example 5 with BasePermissionsHelper
use of com.emc.storageos.security.authorization.BasePermissionsHelper in project coprhd-controller by CoprHD.
the class VPlexBlockServiceApiImpl method getVplexProject.
/**
* Returns the Project assigned to this VPlex for its artifacts.
* If there is no existing Project, one is created.
*
* @param vplexSystem A StorageSystem instance representing a VPlex.
* @param dbClient A reference to a database client.
*
* @return Project instance that was created for holding this VPlex's private volumes/export groups.
*/
public static Project getVplexProject(StorageSystem vplexSystem, DbClient dbClient, TenantsService tenantsService) {
BasePermissionsHelper helper = new BasePermissionsHelper(dbClient);
TenantOrg rootTenant = helper.getRootTenant();
PrefixConstraint constraint = PrefixConstraint.Factory.getLabelPrefixConstraint(Project.class, vplexSystem.getNativeGuid());
URIQueryResultList result = new URIQueryResultList();
dbClient.queryByConstraint(constraint, result);
Iterator<URI> iter = result.iterator();
while (iter.hasNext()) {
Project project = dbClient.queryObject(Project.class, iter.next());
if (project == null || project.getInactive() == true) {
continue;
}
if (project.getLabel().equals(vplexSystem.getNativeGuid()) && project.getTenantOrg().getURI().toString().equals(rootTenant.getId().toString())) {
return project;
}
}
// Create the project
ProjectParam projectParam = new ProjectParam(vplexSystem.getNativeGuid());
ProjectElement projectElement = tenantsService.createProject(rootTenant.getId(), projectParam, TenantOrg.PROVIDER_TENANT_ORG, rootTenant.getId().toString());
URI projectId = projectElement.getId();
Project project = dbClient.queryObject(Project.class, projectId);
project.addInternalFlags(DataObject.Flag.INTERNAL_OBJECT);
dbClient.updateObject(project);
return project;
}
Also used :
Project(com.emc.storageos.db.client.model.Project)
ProjectParam(com.emc.storageos.model.project.ProjectParam)
PrefixConstraint(com.emc.storageos.db.client.constraint.PrefixConstraint)
ContainmentPrefixConstraint(com.emc.storageos.db.client.constraint.ContainmentPrefixConstraint)
ProjectElement(com.emc.storageos.model.project.ProjectElement)
TenantOrg(com.emc.storageos.db.client.model.TenantOrg)
FCTN_STRING_TO_URI(com.emc.storageos.db.client.util.CommonTransformerFunctions.FCTN_STRING_TO_URI)
NamedURI(com.emc.storageos.db.client.model.NamedURI)
URI(java.net.URI)
FCTN_VPLEX_MIRROR_TO_URI(com.emc.storageos.db.client.util.CommonTransformerFunctions.FCTN_VPLEX_MIRROR_TO_URI)
BasePermissionsHelper(com.emc.storageos.security.authorization.BasePermissionsHelper)
URIQueryResultList(com.emc.storageos.db.client.constraint.URIQueryResultList)
Aggregations
BasePermissionsHelper (com.emc.storageos.security.authorization.BasePermissionsHelper)5
URIQueryResultList (com.emc.storageos.db.client.constraint.URIQueryResultList)4
URI (java.net.URI)4
TenantOrg (com.emc.storageos.db.client.model.TenantOrg)3
LdapServerList (com.emc.storageos.auth.impl.LdapServerList)2
PrefixConstraint (com.emc.storageos.db.client.constraint.PrefixConstraint)2
Project (com.emc.storageos.db.client.model.Project)2
UserMapping (com.emc.storageos.security.authorization.BasePermissionsHelper.UserMapping)2
UserMappingAttribute (com.emc.storageos.security.authorization.BasePermissionsHelper.UserMappingAttribute)2
ContainmentPrefixConstraint (com.emc.storageos.db.client.constraint.ContainmentPrefixConstraint)1
NamedURI (com.emc.storageos.db.client.model.NamedURI)1
StorageOSUserDAO (com.emc.storageos.db.client.model.StorageOSUserDAO)1
StringSet (com.emc.storageos.db.client.model.StringSet)1
FCTN_STRING_TO_URI (com.emc.storageos.db.client.util.CommonTransformerFunctions.FCTN_STRING_TO_URI)1
FCTN_VPLEX_MIRROR_TO_URI (com.emc.storageos.db.client.util.CommonTransformerFunctions.FCTN_VPLEX_MIRROR_TO_URI)1
VdcConfigHelper (com.emc.storageos.geo.service.impl.util.VdcConfigHelper)1
VdcControllerImpl (com.emc.storageos.geo.vdccontroller.impl.VdcControllerImpl)1
ProjectElement (com.emc.storageos.model.project.ProjectElement)1
ProjectParam (com.emc.storageos.model.project.ProjectParam)1
InternalApiSignatureKeyGenerator (com.emc.storageos.security.authentication.InternalApiSignatureKeyGenerator)1
