Search in sources :

Example 1 with ParamWithValueType

use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.

the class LoadAuthChainsFromK8s method createAuthChain.

private AuthChainType createAuthChain(JSONObject item, String name) throws Exception {
    AuthChainType act = new AuthChainType();
    act.setName(name);
    JSONObject spec = (JSONObject) item.get("spec");
    act.setLevel(((Long) spec.get("level")).intValue());
    Boolean finishOnRequiredSucess = (Boolean) spec.get("finishOnRequiredSucess");
    if (finishOnRequiredSucess != null) {
        act.setFinishOnRequiredSucess(finishOnRequiredSucess);
    } else {
        act.setFinishOnRequiredSucess(false);
    }
    String root = (String) spec.get("root");
    if (root != null) {
        act.setRoot(root);
    }
    JSONObject jsonCompliance = (JSONObject) spec.get("compliance");
    if (jsonCompliance != null) {
        AuthLockoutType alt = new AuthLockoutType();
        alt.setEnabled((Boolean) jsonCompliance.get("enabled"));
        alt.setMaxFailedAttempts(((Integer) jsonCompliance.get("maxLockoutTime")));
        alt.setNumFailedAttribute((String) jsonCompliance.get("numFailedAttribute"));
        alt.setLastFailedAttribute((String) jsonCompliance.get("lastFailedAttribute"));
        alt.setLastSucceedAttribute((String) jsonCompliance.get("lastSucceedAttribute"));
        alt.setUpdateAttributesWorkflow((String) jsonCompliance.get("updateAttributesWorkflow"));
        alt.setUidAttributeName((String) jsonCompliance.get("uidAttributeName"));
        act.setCompliance(alt);
    }
    JSONArray mechs = (JSONArray) spec.get("authMechs");
    for (Object o : mechs) {
        JSONObject mech = (JSONObject) o;
        AuthMechType amt = new AuthMechType();
        amt.setName((String) mech.get("name"));
        amt.setRequired((String) mech.get("required"));
        amt.setParams(new AuthMechParamType());
        JSONObject jsonObj = (JSONObject) mech.get("params");
        for (Object ok : jsonObj.keySet()) {
            String paramName = (String) ok;
            Object val = jsonObj.get(paramName);
            if (val instanceof String) {
                ParamWithValueType pt = new ParamWithValueType();
                pt.setName(paramName);
                pt.setValue((String) val);
                amt.getParams().getParam().add(pt);
            } else {
                JSONArray vals = (JSONArray) val;
                for (Object ov : vals) {
                    ParamWithValueType pt = new ParamWithValueType();
                    pt.setName(paramName);
                    pt.setValue((String) ov);
                    amt.getParams().getParam().add(pt);
                }
            }
        }
        JSONArray secretParams = (JSONArray) mech.get("secretParams");
        if (secretParams != null) {
            HttpCon nonwatchHttp = this.k8sWatch.getK8s().createClient();
            String token = this.k8sWatch.getK8s().getAuthToken();
            try {
                for (Object ox : secretParams) {
                    JSONObject secretParam = (JSONObject) ox;
                    String paramName = (String) secretParam.get("name");
                    String secretName = (String) secretParam.get("secretName");
                    String secretKey = (String) secretParam.get("secretKey");
                    String secretValue = this.k8sWatch.getSecretValue(secretName, secretKey, token, nonwatchHttp);
                    ParamWithValueType pt = new ParamWithValueType();
                    pt.setName(paramName);
                    pt.setValue(secretValue);
                    amt.getParams().getParam().add(pt);
                }
            } finally {
                nonwatchHttp.getHttp().close();
                nonwatchHttp.getBcm().close();
            }
        }
        act.getAuthMech().add(amt);
    }
    return act;
}
Also used : AuthLockoutType(com.tremolosecurity.config.xml.AuthLockoutType) AuthMechParamType(com.tremolosecurity.config.xml.AuthMechParamType) HttpCon(com.tremolosecurity.provisioning.util.HttpCon) JSONObject(org.json.simple.JSONObject) JSONArray(org.json.simple.JSONArray) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) JSONObject(org.json.simple.JSONObject) ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Example 2 with ParamWithValueType

use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.

the class OpenUnisonUtils method exportSPMetaData.

private static void exportSPMetaData(Options options, CommandLine cmd, TremoloType tt, KeyStore ks) throws Exception, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, CertificateEncodingException, MarshallingException {
    logger.info("Finding mechanism...");
    String mechanismName = loadOption(cmd, "mechanismName", options);
    MechanismType saml2Mech = loadMechanismType(mechanismName, tt);
    logger.info("...found");
    logger.info("Finding chain...");
    String chainName = loadOption(cmd, "chainName", options);
    AuthChainType act = loadChainType(chainName, tt);
    logger.info("Looking for correct mechanism on the chain...");
    AuthMechType currentMechanism = null;
    for (AuthMechType amt : act.getAuthMech()) {
        if (amt.getName().equalsIgnoreCase(mechanismName)) {
            currentMechanism = amt;
            break;
        }
    }
    if (currentMechanism == null) {
        System.err.println("Unknown chain on mechanism");
        System.exit(1);
    }
    InitializationService.initialize();
    logger.info("loading url base");
    String urlBase = loadOption(cmd, "urlBase", options);
    String url = urlBase + saml2Mech.getUri();
    SecureRandom random = new SecureRandom();
    byte[] idBytes = new byte[20];
    random.nextBytes(idBytes);
    String id = "f" + Hex.encodeHexString(idBytes);
    EntityDescriptorBuilder edb = new EntityDescriptorBuilder();
    EntityDescriptorImpl ed = (EntityDescriptorImpl) edb.buildObject();
    ed.setID(id);
    ed.setEntityID(url);
    SPSSODescriptorBuilder spb = new SPSSODescriptorBuilder();
    SPSSODescriptorImpl sp = (SPSSODescriptorImpl) spb.buildObject();
    ed.getRoleDescriptors().add(sp);
    HashMap<String, ParamWithValueType> params = new HashMap<String, ParamWithValueType>();
    for (ParamWithValueType pt : currentMechanism.getParams().getParam()) {
        params.put(pt.getName(), pt);
    }
    boolean assertionsSigned = params.get("assertionsSigned") != null && params.get("assertionsSigned").getValue().equalsIgnoreCase("true");
    sp.setWantAssertionsSigned(assertionsSigned);
    sp.addSupportedProtocol("urn:oasis:names:tc:SAML:2.0:protocol");
    SingleLogoutServiceBuilder slsb = new SingleLogoutServiceBuilder();
    SingleLogoutService sls = slsb.buildObject();
    sls.setLocation(url);
    sls.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
    sp.getSingleLogoutServices().add(sls);
    sls = slsb.buildObject();
    sls.setLocation(url);
    sls.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
    sp.getSingleLogoutServices().add(sls);
    AssertionConsumerServiceBuilder acsb = new AssertionConsumerServiceBuilder();
    AssertionConsumerService acs = acsb.buildObject();
    acs.setLocation(url);
    acs.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
    acs.setIndex(0);
    acs.setIsDefault(true);
    sp.getAssertionConsumerServices().add(acs);
    acs = acsb.buildObject();
    acs.setLocation(url);
    acs.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
    acs.setIndex(1);
    sp.getAssertionConsumerServices().add(acs);
    if (params.get("spSigKey") != null && !params.get("spSigKey").getValue().isEmpty()) {
        String alias = params.get("spSigKey").getValue();
        X509Certificate certFromKS = (X509Certificate) ks.getCertificate(alias);
        if (certFromKS == null) {
            throw new Exception("Certificate '" + params.get("spSigKey").getValue() + "' not found");
        }
        PrivateKey keyFromKS = (PrivateKey) ks.getKey(alias, tt.getKeyStorePassword().toCharArray());
        KeyDescriptorBuilder kdb = new KeyDescriptorBuilder();
        KeyDescriptor kd = kdb.buildObject();
        kd.setUse(UsageType.SIGNING);
        KeyInfoBuilder kib = new KeyInfoBuilder();
        KeyInfo ki = kib.buildObject();
        X509DataBuilder x509b = new X509DataBuilder();
        X509Data x509 = x509b.buildObject();
        X509CertificateBuilder certb = new X509CertificateBuilder();
        org.opensaml.xmlsec.signature.X509Certificate cert = certb.buildObject();
        cert.setValue(new String(Base64.encode(certFromKS.getEncoded())));
        x509.getX509Certificates().add(cert);
        ki.getX509Datas().add(x509);
        kd.setKeyInfo(ki);
        sp.getKeyDescriptors().add(kd);
    }
    if (params.get("spEncKey") != null && !params.get("spEncKey").getValue().isEmpty()) {
        String alias = params.get("spEncKey").getValue();
        X509Certificate certFromKS = (X509Certificate) ks.getCertificate(alias);
        if (certFromKS == null) {
            throw new Exception("Certificate '" + params.get("spEncKey").getValue() + "' not found");
        }
        PrivateKey keyFromKS = (PrivateKey) ks.getKey(alias, tt.getKeyStorePassword().toCharArray());
        KeyDescriptorBuilder kdb = new KeyDescriptorBuilder();
        KeyDescriptor kd = kdb.buildObject();
        kd.setUse(UsageType.ENCRYPTION);
        KeyInfoBuilder kib = new KeyInfoBuilder();
        KeyInfo ki = kib.buildObject();
        X509DataBuilder x509b = new X509DataBuilder();
        X509Data x509 = x509b.buildObject();
        X509CertificateBuilder certb = new X509CertificateBuilder();
        org.opensaml.xmlsec.signature.X509Certificate cert = certb.buildObject();
        cert.setValue(new String(Base64.encode(certFromKS.getEncoded())));
        x509.getX509Certificates().add(cert);
        ki.getX509Datas().add(x509);
        kd.setKeyInfo(ki);
        sp.getKeyDescriptors().add(kd);
    }
    EntityDescriptorMarshaller marshaller = new EntityDescriptorMarshaller();
    // Marshall the Subject
    Element assertionElement = marshaller.marshall(ed);
    String xml = net.shibboleth.utilities.java.support.xml.SerializeSupport.prettyPrintXML(assertionElement);
    logger.info(xml);
}
Also used : PrivateKey(java.security.PrivateKey) SPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorBuilder) HashMap(java.util.HashMap) KeyInfoBuilder(org.opensaml.xmlsec.signature.impl.KeyInfoBuilder) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) EntityDescriptorMarshaller(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorMarshaller) X509Data(org.opensaml.xmlsec.signature.X509Data) EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder) X509DataBuilder(org.opensaml.xmlsec.signature.impl.X509DataBuilder) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) SingleLogoutServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder) MechanismType(com.tremolosecurity.config.xml.MechanismType) AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService) ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) EntityDescriptorImpl(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorImpl) SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService) AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder) X509CertificateBuilder(org.opensaml.xmlsec.signature.impl.X509CertificateBuilder) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) SecureRandom(java.security.SecureRandom) X509Certificate(java.security.cert.X509Certificate) KeyStoreException(java.security.KeyStoreException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) SecurityException(org.opensaml.security.SecurityException) UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CertificateEncodingException(java.security.cert.CertificateEncodingException) MarshallingException(org.opensaml.core.xml.io.MarshallingException) IOException(java.io.IOException) Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException) ServletException(javax.servlet.ServletException) PropertyException(javax.xml.bind.PropertyException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) SAXException(org.xml.sax.SAXException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) CertificateException(java.security.cert.CertificateException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) SPSSODescriptorImpl(org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorImpl) KeyDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder)

Example 3 with ParamWithValueType

use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.

the class OpenUnisonUtils method setProperty.

private static void setProperty(String name, String value, HashMap<String, ParamWithValueType> params, AuthMechType amt) {
    ParamWithValueType pt = params.get(name);
    if (pt == null) {
        pt = new ParamWithValueType();
        pt.setName(name);
        amt.getParams().getParam().add(pt);
        params.put(name, pt);
    }
    pt.setValue(value);
}
Also used : ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)

Example 4 with ParamWithValueType

use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.

the class OpenUnisonUtils method importMetaData.

private static void importMetaData(Options options, CommandLine cmd, String unisonXMLFile, TremoloType ttRead, TremoloType ttWrite, String ksPath, KeyStore ks) throws Exception, Base64DecodingException, CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException, FileNotFoundException, JAXBException, PropertyException {
    logger.info("Finding mechanism...");
    String mechanismName = loadOption(cmd, "mechanismName", options);
    MechanismType saml2Mech = loadMechanismType(mechanismName, ttWrite);
    logger.info("...found");
    logger.info("Finding chain...");
    String chainName = loadOption(cmd, "chainName", options);
    AuthChainType act = loadChainType(chainName, ttWrite);
    boolean createDefault = cmd.hasOption("createDefault");
    logger.info("Create default configuration? : " + createDefault);
    logger.info("Loading metadata...");
    String pathToMetaData = loadOption(cmd, "pathToMetaData", options);
    logger.info("...loaded");
    EntityDescriptor ed = loadIdPMetaData(pathToMetaData, ks, ttRead);
    IDPSSODescriptor idp = ed.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
    logger.info("Looking for correct mechanism on the chain...");
    AuthMechType currentMechanism = null;
    for (AuthMechType amt : act.getAuthMech()) {
        if (amt.getName().equalsIgnoreCase(mechanismName)) {
            currentMechanism = amt;
            break;
        }
    }
    boolean newMech = true;
    if (currentMechanism != null) {
        logger.info("Updating existing mechanism");
        newMech = false;
    } else {
        logger.info("Creating new mechanism");
        currentMechanism = new AuthMechType();
        currentMechanism.setName(mechanismName);
        currentMechanism.setRequired("required");
        currentMechanism.setParams(new AuthMechParamType());
        act.getAuthMech().add(currentMechanism);
        newMech = true;
    }
    HashMap<String, ParamWithValueType> params = new HashMap<String, ParamWithValueType>();
    for (ParamWithValueType pt : currentMechanism.getParams().getParam()) {
        params.put(pt.getName(), pt);
    }
    importMetaData(ks, ed, idp, currentMechanism, params);
    if (newMech && createDefault) {
        setDefaults(ks, ed, idp, currentMechanism, params);
    }
    storeMethod(unisonXMLFile, ttWrite, ksPath, ks);
}
Also used : EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) AuthMechParamType(com.tremolosecurity.config.xml.AuthMechParamType) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) HashMap(java.util.HashMap) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) MechanismType(com.tremolosecurity.config.xml.MechanismType) ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Example 5 with ParamWithValueType

use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.

the class LoadJobsFromK8s method createJob.

private void createJob(JSONObject item, String name) throws ProvisioningException {
    HttpCon nonwatchHttp = null;
    JobType job = new JobType();
    job.setName(name);
    JSONObject spec = (JSONObject) item.get("spec");
    StringBuffer b = new StringBuffer();
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) spec.get("className"));
    job.setClassName(b.toString());
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) spec.get("group"));
    job.setGroup(b.toString());
    JSONArray params = (JSONArray) spec.get("params");
    for (Object o : params) {
        JSONObject param = (JSONObject) o;
        ParamWithValueType pt = new ParamWithValueType();
        b.setLength(0);
        OpenUnisonConfigLoader.integrateIncludes(b, (String) param.get("name"));
        pt.setName(b.toString());
        b.setLength(0);
        OpenUnisonConfigLoader.integrateIncludes(b, (String) param.get("value"));
        pt.setValue(b.toString());
        job.getParam().add(pt);
    }
    JSONArray secretParams = (JSONArray) spec.get("secretParams");
    if (secretParams != null) {
        try {
            nonwatchHttp = this.k8sWatch.getK8s().createClient();
            String token = this.k8sWatch.getK8s().getAuthToken();
            for (Object o : secretParams) {
                JSONObject secretParam = (JSONObject) o;
                String paramName = (String) secretParam.get("name");
                String secretName = (String) secretParam.get("secretName");
                String secretKey = (String) secretParam.get("secretKey");
                String secretValue = this.k8sWatch.getSecretValue(secretName, secretKey, token, nonwatchHttp);
                ParamWithValueType pt = new ParamWithValueType();
                pt.setName(paramName);
                pt.setValue(secretValue);
                job.getParam().add(pt);
            }
        } catch (Exception e) {
            throw new ProvisioningException("Could not load secrets for '" + name + "'");
        } finally {
            if (nonwatchHttp != null) {
                try {
                    nonwatchHttp.getHttp().close();
                } catch (IOException e) {
                }
                nonwatchHttp.getBcm().close();
            }
        }
    }
    job.setCronSchedule(new CronScheduleType());
    JSONObject cron = (JSONObject) spec.get("cronSchedule");
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) cron.get("seconds"));
    job.getCronSchedule().setSeconds(b.toString());
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) cron.get("minutes"));
    job.getCronSchedule().setMinutes(b.toString());
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) cron.get("hours"));
    job.getCronSchedule().setHours(b.toString());
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) cron.get("dayOfMonth"));
    job.getCronSchedule().setDayOfMonth(b.toString());
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) cron.get("month"));
    job.getCronSchedule().setMonth(b.toString());
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) cron.get("dayOfWeek"));
    job.getCronSchedule().setDayOfWeek(b.toString());
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, (String) cron.get("year"));
    job.getCronSchedule().setYear(b.toString());
    try {
        this.cfgMgr.getProvisioningEngine().addNewJob(jobKeys, job);
    } catch (ClassNotFoundException | SchedulerException | ProvisioningException e) {
        throw new ProvisioningException("Could not add job '" + name + "'", e);
    }
}
Also used : SchedulerException(org.quartz.SchedulerException) JSONArray(org.json.simple.JSONArray) IOException(java.io.IOException) SchedulerException(org.quartz.SchedulerException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IOException(java.io.IOException) HttpCon(com.tremolosecurity.provisioning.util.HttpCon) JobType(com.tremolosecurity.config.xml.JobType) JSONObject(org.json.simple.JSONObject) CronScheduleType(com.tremolosecurity.config.xml.CronScheduleType) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONObject(org.json.simple.JSONObject) ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)

Aggregations

ParamWithValueType (com.tremolosecurity.config.xml.ParamWithValueType)18 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)8 AuthMechType (com.tremolosecurity.config.xml.AuthMechType)8 IOException (java.io.IOException)5 Attribute (com.tremolosecurity.saml.Attribute)4 ArrayList (java.util.ArrayList)4 ServletException (javax.servlet.ServletException)4 JSONArray (org.json.simple.JSONArray)4 JSONObject (org.json.simple.JSONObject)4 LDAPException (com.novell.ldap.LDAPException)3 ApplicationType (com.tremolosecurity.config.xml.ApplicationType)3 MechanismType (com.tremolosecurity.config.xml.MechanismType)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 CertificateEncodingException (java.security.cert.CertificateEncodingException)3 CertificateException (java.security.cert.CertificateException)3 X509Certificate (java.security.cert.X509Certificate)3 HashMap (java.util.HashMap)3 LDAPAttribute (com.novell.ldap.LDAPAttribute)2 AuthMechParamType (com.tremolosecurity.config.xml.AuthMechParamType)2 CustomTaskType (com.tremolosecurity.config.xml.CustomTaskType)2