Search in sources :

Example 21 with ProvisioningException

use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.

the class AddGroupToRole method addToRBACRole.

private void addToRBACRole(OpenShiftTarget os, String token, HttpCon con, String localProjectName, String localPolicyName, String localGroupName, int approvalID) throws Exception {
    String roleBindingUri = new StringBuilder().append(this.openShiftVersion == 3.9 ? "/apis/rbac.authorization.k8s.io/v1/namespaces/" : "/apis/rbac.authorization.k8s.io/v1beta1/namespaces/").append(localProjectName).append("/rolebindings/").append(localPolicyName).toString();
    String json = os.callWS(token, con, roleBindingUri);
    if (logger.isDebugEnabled()) {
        logger.debug("Policy binding : '" + json + "'");
    }
    JSONParser parser = new JSONParser();
    JSONObject rb = (JSONObject) parser.parse(json);
    if (rb.get("status") != null && rb.get("status").equals("Failure")) {
        throw new ProvisioningException("Role binding : '" + localPolicyName + "' does not exist");
    }
    JSONArray subjects = (JSONArray) rb.get("subjects");
    if (subjects != null) {
        for (Object o : subjects) {
            JSONObject jo = (JSONObject) o;
            if (jo.get("kind").equals("Group") && jo.get("name").equals(localGroupName)) {
                logger.warn(localGroupName + " already in policy " + localPolicyName + " on project " + localProjectName);
                return;
            }
        }
    } else {
        subjects = new JSONArray();
        rb.put("subjects", subjects);
    }
    JSONObject binding = new JSONObject();
    binding.put("kind", "Group");
    binding.put("apiGroup", "rbac.authorization.k8s.io");
    binding.put("name", localGroupName);
    subjects.add(binding);
    String jsonResp = os.callWSPut(token, con, roleBindingUri, rb.toJSONString());
    Gson gson = new Gson();
    Response resp = gson.fromJson(jsonResp, Response.class);
    if (resp.getStatus() != null) {
        throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + jsonResp);
    } else {
        this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
    }
}
Also used : Response(com.tremolosecurity.unison.openshiftv3.model.Response) JSONObject(org.json.simple.JSONObject) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONArray(org.json.simple.JSONArray) Gson(com.google.gson.Gson) JSONParser(org.json.simple.parser.JSONParser) JSONObject(org.json.simple.JSONObject)

Example 22 with ProvisioningException

use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.

the class AddGroupToRole method addTo36Role.

private void addTo36Role(OpenShiftTarget os, String token, HttpCon con, String localProjectName, String localPolicyName, String localGroupName, int approvalID) throws Exception {
    String roleBindingUri = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/policybindings").toString();
    String json = os.callWS(token, con, roleBindingUri);
    if (logger.isDebugEnabled()) {
        logger.debug("All policy bindings : '" + json + "'");
    }
    JSONParser parser = new JSONParser();
    JSONObject pbl = (JSONObject) parser.parse(json);
    JSONArray items = (JSONArray) pbl.get("items");
    JSONArray rb = (JSONArray) ((JSONObject) items.get(0)).get("roleBindings");
    JSONObject foundRoleBinding = null;
    boolean foundInGroupName = false;
    boolean foundInSubjects = false;
    boolean foundPolicy = false;
    for (Object o : rb) {
        JSONObject binding = (JSONObject) o;
        if (binding.get("name").equals(localPolicyName)) {
            foundPolicy = true;
            JSONObject rbx = (JSONObject) binding.get("roleBinding");
            foundRoleBinding = rbx;
            JSONArray groupNames = (JSONArray) rbx.get("groupNames");
            if (groupNames != null) {
                for (Object o1 : groupNames) {
                    String groupName = (String) o1;
                    if (groupName.equalsIgnoreCase(localGroupName)) {
                        foundInGroupName = true;
                    }
                }
            }
            JSONArray subjects = (JSONArray) rbx.get("subjects");
            if (subjects != null) {
                for (Object o1 : subjects) {
                    JSONObject subj = (JSONObject) o1;
                    if (subj.get("kind").equals("group") && subj.get("name").equals(localGroupName)) {
                        foundInSubjects = true;
                    }
                }
            }
        }
    }
    if (foundInGroupName || foundInSubjects) {
        logger.warn(localGroupName + " already in policy " + localPolicyName + " on project " + localProjectName);
    } else {
        if (foundRoleBinding != null) {
            JSONArray groupNames = (JSONArray) foundRoleBinding.get("groupNames");
            if (groupNames == null) {
                groupNames = new JSONArray();
                foundRoleBinding.put("groupNames", groupNames);
            }
            groupNames.add(localGroupName);
            JSONArray subjects = (JSONArray) foundRoleBinding.get("subjects");
            if (subjects == null) {
                subjects = new JSONArray();
                foundRoleBinding.put("subjects", subjects);
            }
            JSONObject subject = new JSONObject();
            subject.put("kind", "Group");
            subject.put("name", localGroupName);
            subjects.add(subject);
            foundRoleBinding.put("kind", "RoleBinding");
            foundRoleBinding.put("apiVersion", "v1");
            if (logger.isDebugEnabled()) {
                logger.debug("new policy : '" + foundRoleBinding + "'");
            }
            String saveURI = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/rolebindings/").append(localPolicyName).toString();
            String jsonResp = os.callWSPut(token, con, saveURI, foundRoleBinding.toJSONString());
            Gson gson = new Gson();
            Response resp = gson.fromJson(jsonResp, Response.class);
            if (!resp.getKind().equals("RoleBinding")) {
                throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + jsonResp);
            } else {
                this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
            }
        } else {
            foundRoleBinding = new JSONObject();
            foundRoleBinding.put("kind", "RoleBinding");
            foundRoleBinding.put("apiVersion", "v1");
            JSONObject metadata = new JSONObject();
            metadata.put("name", localPolicyName);
            metadata.put("namespace", localProjectName);
            foundRoleBinding.put("metadata", metadata);
            JSONArray groupNames = new JSONArray();
            foundRoleBinding.put("groupNames", groupNames);
            groupNames.add(localGroupName);
            JSONArray subjects = new JSONArray();
            foundRoleBinding.put("subjects", subjects);
            JSONObject subject = new JSONObject();
            subject.put("kind", "Group");
            subject.put("name", localGroupName);
            subjects.add(subject);
            JSONObject roleRef = new JSONObject();
            roleRef.put("name", localPolicyName);
            foundRoleBinding.put("roleRef", roleRef);
            String saveURI = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/rolebindings").toString();
            String jsonResp = os.callWSPost(token, con, saveURI, foundRoleBinding.toJSONString());
            Gson gson = new Gson();
            if (logger.isDebugEnabled()) {
                logger.debug("response json  - " + jsonResp);
            }
            Response resp = gson.fromJson(jsonResp, Response.class);
            if (!resp.getKind().equals("RoleBinding")) {
                throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + resp.getStatus());
            } else {
                this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
            }
        }
    }
}
Also used : Response(com.tremolosecurity.unison.openshiftv3.model.Response) JSONObject(org.json.simple.JSONObject) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONArray(org.json.simple.JSONArray) Gson(com.google.gson.Gson) JSONParser(org.json.simple.parser.JSONParser) JSONObject(org.json.simple.JSONObject)

Example 23 with ProvisioningException

use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.

the class PullListener method buildQueueConnections.

private void buildQueueConnections(ConfigManager cfg) throws ProvisioningException {
    try {
        if (jmsSession == null) {
            logger.debug("creating queues");
            this.jmsSession = JMSConnectionFactory.getConnectionFactory().getSession(this.sendToQueueName);
            if (this.additionalMetrics != null) {
                this.additionalMetrics.init(this, cfg, attributes);
            }
            logger.debug("created queues");
        }
    } catch (Throwable t) {
        throw new ProvisioningException("Could not initailize queues");
    }
}
Also used : ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)

Example 24 with ProvisioningException

use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.

the class PullListener method init.

@Override
public void init(ConfigManager cfg, HashMap<String, Attribute> attributes) throws ProvisioningException {
    Gson gson = new Gson();
    String urlList;
    try {
        urlList = PrometheusUtils.decompress(attributes.get("urls").getValues().get(0));
    } catch (IOException e1) {
        throw new ProvisioningException("Could not decompress url configuration", e1);
    }
    Type listType = new TypeToken<ArrayList<AggregateURL>>() {
    }.getType();
    this.pull = new PullMetrics((List<AggregateURL>) gson.fromJson(urlList, listType), cfg);
    this.sendToQueueName = attributes.get("sendToQueueName").getValues().get(0);
    this.attributes = attributes;
    if (attributes.get("additionalMetricsClassName") != null) {
        try {
            this.additionalMetrics = (AdditionalMetrics) Class.forName(attributes.get("additionalMetricsClassName").getValues().get(0)).newInstance();
        } catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
            throw new ProvisioningException("Could not instantiate additional metrics");
        }
    }
}
Also used : ArrayList(java.util.ArrayList) Gson(com.google.gson.Gson) IOException(java.io.IOException) Type(java.lang.reflect.Type) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) ArrayList(java.util.ArrayList) List(java.util.List)

Example 25 with ProvisioningException

use of com.tremolosecurity.provisioning.core.ProvisioningException in project OpenUnison by TremoloSecurity.

the class LoadTargetsFromK8s method createTarget.

private TargetType createTarget(JSONObject item, String name) throws ProvisioningException {
    TargetType target = new TargetType();
    target.setName(name);
    target.setParams(new TargetConfigType());
    HttpCon nonwatchHttp = null;
    JSONObject spec = (JSONObject) item.get("spec");
    try {
        nonwatchHttp = this.k8sWatch.getK8s().createClient();
        String token = this.k8sWatch.getK8s().getAuthToken();
        StringBuffer b = new StringBuffer();
        b.setLength(0);
        OpenUnisonConfigLoader.integrateIncludes(b, (String) spec.get("className"));
        target.setClassName(b.toString());
        JSONArray params = (JSONArray) spec.get("params");
        for (Object o : params) {
            JSONObject param = (JSONObject) o;
            ParamType pt = new ParamType();
            b.setLength(0);
            OpenUnisonConfigLoader.integrateIncludes(b, (String) param.get("name"));
            pt.setName(b.toString());
            b.setLength(0);
            OpenUnisonConfigLoader.integrateIncludes(b, (String) param.get("value"));
            pt.setValue(b.toString());
            target.getParams().getParam().add(pt);
        }
        JSONArray secretParams = (JSONArray) spec.get("secretParams");
        for (Object o : secretParams) {
            JSONObject secretParam = (JSONObject) o;
            String paramName = (String) secretParam.get("name");
            String secretName = (String) secretParam.get("secretName");
            String secretKey = (String) secretParam.get("secretKey");
            String secretValue = this.k8sWatch.getSecretValue(secretName, secretKey, token, nonwatchHttp);
            ParamType pt = new ParamType();
            pt.setName(paramName);
            pt.setValue(secretValue);
            target.getParams().getParam().add(pt);
        }
        JSONArray attrs = (JSONArray) spec.get("targetAttributes");
        for (Object o : attrs) {
            JSONObject attr = (JSONObject) o;
            TargetAttributeType ta = new TargetAttributeType();
            b.setLength(0);
            OpenUnisonConfigLoader.integrateIncludes(b, (String) attr.get("name"));
            ta.setName(b.toString());
            b.setLength(0);
            OpenUnisonConfigLoader.integrateIncludes(b, (String) attr.get("source"));
            ta.setSource(b.toString());
            ta.setSourceType((String) attr.get("sourceType"));
            ta.setTargetType((String) attr.get("targetType"));
            target.getTargetAttribute().add(ta);
        }
        synchronized (this.tremolo.getProvisioning().getTargets().getTarget()) {
            int found = -1;
            int ii = 0;
            for (TargetType tt : this.tremolo.getProvisioning().getTargets().getTarget()) {
                if (tt.getName().equals(target.getName())) {
                    found = ii;
                    break;
                }
                ii++;
            }
            if (found >= 0) {
                this.tremolo.getProvisioning().getTargets().getTarget().remove(found);
            }
            this.tremolo.getProvisioning().getTargets().getTarget().add(target);
        }
        return target;
    } catch (Exception e) {
        throw new ProvisioningException("Could not add target '" + name + "'", e);
    } finally {
        if (nonwatchHttp != null) {
            try {
                nonwatchHttp.getHttp().close();
            } catch (IOException e) {
            }
            nonwatchHttp.getBcm().close();
        }
    }
}
Also used : JSONArray(org.json.simple.JSONArray) IOException(java.io.IOException) ParamType(com.tremolosecurity.config.xml.ParamType) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IOException(java.io.IOException) TargetAttributeType(com.tremolosecurity.config.xml.TargetAttributeType) HttpCon(com.tremolosecurity.provisioning.util.HttpCon) JSONObject(org.json.simple.JSONObject) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) TargetType(com.tremolosecurity.config.xml.TargetType) TargetConfigType(com.tremolosecurity.config.xml.TargetConfigType) JSONObject(org.json.simple.JSONObject)

Aggregations

ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)265 IOException (java.io.IOException)91 HttpCon (com.tremolosecurity.provisioning.util.HttpCon)79 Attribute (com.tremolosecurity.saml.Attribute)75 Workflow (com.tremolosecurity.provisioning.core.Workflow)67 JSONObject (org.json.simple.JSONObject)67 UnsupportedEncodingException (java.io.UnsupportedEncodingException)57 ClientProtocolException (org.apache.http.client.ClientProtocolException)57 LDAPException (com.novell.ldap.LDAPException)56 ArrayList (java.util.ArrayList)54 ParseException (org.json.simple.parser.ParseException)51 HashMap (java.util.HashMap)50 Gson (com.google.gson.Gson)45 User (com.tremolosecurity.provisioning.core.User)44 JSONParser (org.json.simple.parser.JSONParser)42 SQLException (java.sql.SQLException)39 LDAPAttribute (com.novell.ldap.LDAPAttribute)33 LDAPEntry (com.novell.ldap.LDAPEntry)33 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)30 OpenShiftTarget (com.tremolosecurity.unison.openshiftv3.OpenShiftTarget)28