use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.
the class AddGroupToRole method addToRBACRole.
private void addToRBACRole(OpenShiftTarget os, String token, HttpCon con, String localProjectName, String localPolicyName, String localGroupName, int approvalID) throws Exception {
String roleBindingUri = new StringBuilder().append(this.openShiftVersion == 3.9 ? "/apis/rbac.authorization.k8s.io/v1/namespaces/" : "/apis/rbac.authorization.k8s.io/v1beta1/namespaces/").append(localProjectName).append("/rolebindings/").append(localPolicyName).toString();
String json = os.callWS(token, con, roleBindingUri);
if (logger.isDebugEnabled()) {
logger.debug("Policy binding : '" + json + "'");
}
JSONParser parser = new JSONParser();
JSONObject rb = (JSONObject) parser.parse(json);
if (rb.get("status") != null && rb.get("status").equals("Failure")) {
throw new ProvisioningException("Role binding : '" + localPolicyName + "' does not exist");
}
JSONArray subjects = (JSONArray) rb.get("subjects");
if (subjects != null) {
for (Object o : subjects) {
JSONObject jo = (JSONObject) o;
if (jo.get("kind").equals("Group") && jo.get("name").equals(localGroupName)) {
logger.warn(localGroupName + " already in policy " + localPolicyName + " on project " + localProjectName);
return;
}
}
} else {
subjects = new JSONArray();
rb.put("subjects", subjects);
}
JSONObject binding = new JSONObject();
binding.put("kind", "Group");
binding.put("apiGroup", "rbac.authorization.k8s.io");
binding.put("name", localGroupName);
subjects.add(binding);
String jsonResp = os.callWSPut(token, con, roleBindingUri, rb.toJSONString());
Gson gson = new Gson();
Response resp = gson.fromJson(jsonResp, Response.class);
if (resp.getStatus() != null) {
throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + jsonResp);
} else {
this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
}
}
use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.
the class AddGroupToRole method addTo36Role.
private void addTo36Role(OpenShiftTarget os, String token, HttpCon con, String localProjectName, String localPolicyName, String localGroupName, int approvalID) throws Exception {
String roleBindingUri = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/policybindings").toString();
String json = os.callWS(token, con, roleBindingUri);
if (logger.isDebugEnabled()) {
logger.debug("All policy bindings : '" + json + "'");
}
JSONParser parser = new JSONParser();
JSONObject pbl = (JSONObject) parser.parse(json);
JSONArray items = (JSONArray) pbl.get("items");
JSONArray rb = (JSONArray) ((JSONObject) items.get(0)).get("roleBindings");
JSONObject foundRoleBinding = null;
boolean foundInGroupName = false;
boolean foundInSubjects = false;
boolean foundPolicy = false;
for (Object o : rb) {
JSONObject binding = (JSONObject) o;
if (binding.get("name").equals(localPolicyName)) {
foundPolicy = true;
JSONObject rbx = (JSONObject) binding.get("roleBinding");
foundRoleBinding = rbx;
JSONArray groupNames = (JSONArray) rbx.get("groupNames");
if (groupNames != null) {
for (Object o1 : groupNames) {
String groupName = (String) o1;
if (groupName.equalsIgnoreCase(localGroupName)) {
foundInGroupName = true;
}
}
}
JSONArray subjects = (JSONArray) rbx.get("subjects");
if (subjects != null) {
for (Object o1 : subjects) {
JSONObject subj = (JSONObject) o1;
if (subj.get("kind").equals("group") && subj.get("name").equals(localGroupName)) {
foundInSubjects = true;
}
}
}
}
}
if (foundInGroupName || foundInSubjects) {
logger.warn(localGroupName + " already in policy " + localPolicyName + " on project " + localProjectName);
} else {
if (foundRoleBinding != null) {
JSONArray groupNames = (JSONArray) foundRoleBinding.get("groupNames");
if (groupNames == null) {
groupNames = new JSONArray();
foundRoleBinding.put("groupNames", groupNames);
}
groupNames.add(localGroupName);
JSONArray subjects = (JSONArray) foundRoleBinding.get("subjects");
if (subjects == null) {
subjects = new JSONArray();
foundRoleBinding.put("subjects", subjects);
}
JSONObject subject = new JSONObject();
subject.put("kind", "Group");
subject.put("name", localGroupName);
subjects.add(subject);
foundRoleBinding.put("kind", "RoleBinding");
foundRoleBinding.put("apiVersion", "v1");
if (logger.isDebugEnabled()) {
logger.debug("new policy : '" + foundRoleBinding + "'");
}
String saveURI = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/rolebindings/").append(localPolicyName).toString();
String jsonResp = os.callWSPut(token, con, saveURI, foundRoleBinding.toJSONString());
Gson gson = new Gson();
Response resp = gson.fromJson(jsonResp, Response.class);
if (!resp.getKind().equals("RoleBinding")) {
throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + jsonResp);
} else {
this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
}
} else {
foundRoleBinding = new JSONObject();
foundRoleBinding.put("kind", "RoleBinding");
foundRoleBinding.put("apiVersion", "v1");
JSONObject metadata = new JSONObject();
metadata.put("name", localPolicyName);
metadata.put("namespace", localProjectName);
foundRoleBinding.put("metadata", metadata);
JSONArray groupNames = new JSONArray();
foundRoleBinding.put("groupNames", groupNames);
groupNames.add(localGroupName);
JSONArray subjects = new JSONArray();
foundRoleBinding.put("subjects", subjects);
JSONObject subject = new JSONObject();
subject.put("kind", "Group");
subject.put("name", localGroupName);
subjects.add(subject);
JSONObject roleRef = new JSONObject();
roleRef.put("name", localPolicyName);
foundRoleBinding.put("roleRef", roleRef);
String saveURI = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/rolebindings").toString();
String jsonResp = os.callWSPost(token, con, saveURI, foundRoleBinding.toJSONString());
Gson gson = new Gson();
if (logger.isDebugEnabled()) {
logger.debug("response json - " + jsonResp);
}
Response resp = gson.fromJson(jsonResp, Response.class);
if (!resp.getKind().equals("RoleBinding")) {
throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + resp.getStatus());
} else {
this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
}
}
}
}
use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.
the class PullListener method buildQueueConnections.
private void buildQueueConnections(ConfigManager cfg) throws ProvisioningException {
try {
if (jmsSession == null) {
logger.debug("creating queues");
this.jmsSession = JMSConnectionFactory.getConnectionFactory().getSession(this.sendToQueueName);
if (this.additionalMetrics != null) {
this.additionalMetrics.init(this, cfg, attributes);
}
logger.debug("created queues");
}
} catch (Throwable t) {
throw new ProvisioningException("Could not initailize queues");
}
}
use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.
the class PullListener method init.
@Override
public void init(ConfigManager cfg, HashMap<String, Attribute> attributes) throws ProvisioningException {
Gson gson = new Gson();
String urlList;
try {
urlList = PrometheusUtils.decompress(attributes.get("urls").getValues().get(0));
} catch (IOException e1) {
throw new ProvisioningException("Could not decompress url configuration", e1);
}
Type listType = new TypeToken<ArrayList<AggregateURL>>() {
}.getType();
this.pull = new PullMetrics((List<AggregateURL>) gson.fromJson(urlList, listType), cfg);
this.sendToQueueName = attributes.get("sendToQueueName").getValues().get(0);
this.attributes = attributes;
if (attributes.get("additionalMetricsClassName") != null) {
try {
this.additionalMetrics = (AdditionalMetrics) Class.forName(attributes.get("additionalMetricsClassName").getValues().get(0)).newInstance();
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
throw new ProvisioningException("Could not instantiate additional metrics");
}
}
}
use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.
the class LoadTargetsFromK8s method createTarget.
private TargetType createTarget(JSONObject item, String name) throws ProvisioningException {
TargetType target = new TargetType();
target.setName(name);
target.setParams(new TargetConfigType());
HttpCon nonwatchHttp = null;
JSONObject spec = (JSONObject) item.get("spec");
try {
nonwatchHttp = this.k8sWatch.getK8s().createClient();
String token = this.k8sWatch.getK8s().getAuthToken();
StringBuffer b = new StringBuffer();
b.setLength(0);
OpenUnisonConfigLoader.integrateIncludes(b, (String) spec.get("className"));
target.setClassName(b.toString());
JSONArray params = (JSONArray) spec.get("params");
for (Object o : params) {
JSONObject param = (JSONObject) o;
ParamType pt = new ParamType();
b.setLength(0);
OpenUnisonConfigLoader.integrateIncludes(b, (String) param.get("name"));
pt.setName(b.toString());
b.setLength(0);
OpenUnisonConfigLoader.integrateIncludes(b, (String) param.get("value"));
pt.setValue(b.toString());
target.getParams().getParam().add(pt);
}
JSONArray secretParams = (JSONArray) spec.get("secretParams");
for (Object o : secretParams) {
JSONObject secretParam = (JSONObject) o;
String paramName = (String) secretParam.get("name");
String secretName = (String) secretParam.get("secretName");
String secretKey = (String) secretParam.get("secretKey");
String secretValue = this.k8sWatch.getSecretValue(secretName, secretKey, token, nonwatchHttp);
ParamType pt = new ParamType();
pt.setName(paramName);
pt.setValue(secretValue);
target.getParams().getParam().add(pt);
}
JSONArray attrs = (JSONArray) spec.get("targetAttributes");
for (Object o : attrs) {
JSONObject attr = (JSONObject) o;
TargetAttributeType ta = new TargetAttributeType();
b.setLength(0);
OpenUnisonConfigLoader.integrateIncludes(b, (String) attr.get("name"));
ta.setName(b.toString());
b.setLength(0);
OpenUnisonConfigLoader.integrateIncludes(b, (String) attr.get("source"));
ta.setSource(b.toString());
ta.setSourceType((String) attr.get("sourceType"));
ta.setTargetType((String) attr.get("targetType"));
target.getTargetAttribute().add(ta);
}
synchronized (this.tremolo.getProvisioning().getTargets().getTarget()) {
int found = -1;
int ii = 0;
for (TargetType tt : this.tremolo.getProvisioning().getTargets().getTarget()) {
if (tt.getName().equals(target.getName())) {
found = ii;
break;
}
ii++;
}
if (found >= 0) {
this.tremolo.getProvisioning().getTargets().getTarget().remove(found);
}
this.tremolo.getProvisioning().getTargets().getTarget().add(target);
}
return target;
} catch (Exception e) {
throw new ProvisioningException("Could not add target '" + name + "'", e);
} finally {
if (nonwatchHttp != null) {
try {
nonwatchHttp.getHttp().close();
} catch (IOException e) {
}
nonwatchHttp.getBcm().close();
}
}
}
Aggregations