use of com.tremolosecurity.provisioning.core.Workflow in project OpenUnison by TremoloSecurity.
the class K8sCrdUserProvider method createUser.
@Override
public void createUser(User user, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
String k8sUserId = OpenShiftTarget.sub2uid(user.getUserID());
int approvalID = 0;
if (request.containsKey("APPROVAL_ID")) {
approvalID = (Integer) request.get("APPROVAL_ID");
}
Workflow workflow = (Workflow) request.get("WORKFLOW");
HashMap<String, Object> createObject = new HashMap<String, Object>();
createObject.put("apiVersion", "openunison.tremolo.io/v1");
createObject.put("kind", "User");
HashMap<String, Object> metaData = new HashMap<String, Object>();
createObject.put("metadata", metaData);
metaData.put("name", k8sUserId);
metaData.put("namespace", this.nameSpace);
HashMap<String, Object> spec = new HashMap<String, Object>();
createObject.put("spec", spec);
if (attributes.contains("sub")) {
if (user.getAttribs().get("sub") == null) {
throw new ProvisioningException("No sub attribute");
}
spec.put("sub", user.getAttribs().get("sub").getValues().get(0));
}
if (attributes.contains("first_name")) {
if (user.getAttribs().get("first_name") == null) {
throw new ProvisioningException("No first_name attribute");
}
spec.put("first_name", user.getAttribs().get("first_name").getValues().get(0));
}
if (attributes.contains("last_name")) {
if (user.getAttribs().get("last_name") == null) {
throw new ProvisioningException("No last_name attribute");
}
spec.put("last_name", user.getAttribs().get("last_name").getValues().get(0));
}
if (attributes.contains("email")) {
if (user.getAttribs().get("email") == null) {
throw new ProvisioningException("No email attribute");
}
spec.put("email", user.getAttribs().get("email").getValues().get(0));
}
if (attributes.contains("uid")) {
spec.put("uid", k8sUserId);
}
spec.put("groups", user.getGroups());
OpenShiftTarget k8s = null;
try {
k8s = (OpenShiftTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.k8sTarget).getProvider();
} catch (ProvisioningException e1) {
logger.error("Could not retrieve kubernetes target", e1);
throw new ProvisioningException("Could not connect to kubernetes", e1);
}
String url = new StringBuilder().append("/apis/openunison.tremolo.io/v1/namespaces/").append(this.nameSpace).append("/users").toString();
try {
HttpCon con = k8s.createClient();
try {
String jsonReq = this.gsonNoUnderScore.toJson(createObject);
String jsonResp = k8s.callWSPost(k8s.getAuthToken(), con, url, jsonReq);
K8sUser k8sUser = gson.fromJson(jsonResp, UserData.class).getSpec();
if (k8sUser == null) {
throw new ProvisioningException("User not created - '" + jsonResp + "'");
}
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, true, ActionType.Add, approvalID, workflow, "sub", user.getUserID());
if (attributes.contains("sub")) {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, "sub", user.getAttribs().get("sub").getValues().get(0));
}
if (attributes.contains("first_name")) {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, "first_name", user.getAttribs().get("first_name").getValues().get(0));
}
if (attributes.contains("last_name")) {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, "last_name", user.getAttribs().get("last_name").getValues().get(0));
}
if (attributes.contains("email")) {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, "email", user.getAttribs().get("email").getValues().get(0));
}
if (attributes.contains("uid")) {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, "uid", k8sUserId);
}
for (String group : user.getGroups()) {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, "group", group);
}
} finally {
con.getHttp().close();
con.getBcm().close();
}
} catch (Exception e) {
logger.error("Could not search k8s", e);
throw new ProvisioningException("Error searching kubernetes", e);
}
}
use of com.tremolosecurity.provisioning.core.Workflow in project OpenUnison by TremoloSecurity.
the class K8sCrdUserProvider method syncUser.
@Override
public void syncUser(User user, boolean addOnly, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
User fromServer = this.findUser(user.getUserID(), attributes, request);
if (fromServer == null) {
this.createUser(user, attributes, request);
} else {
String k8sUserId = OpenShiftTarget.sub2uid(user.getUserID());
int approvalID = 0;
if (request.containsKey("APPROVAL_ID")) {
approvalID = (Integer) request.get("APPROVAL_ID");
}
Workflow workflow = (Workflow) request.get("WORKFLOW");
OpenShiftTarget k8s = null;
try {
k8s = (OpenShiftTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.k8sTarget).getProvider();
} catch (ProvisioningException e1) {
logger.error("Could not retrieve kubernetes target", e1);
throw new ProvisioningException("Could not connect to kubernetes", e1);
}
String url = new StringBuilder().append("/apis/openunison.tremolo.io/v1/namespaces/").append(this.nameSpace).append("/users/").append(k8sUserId).toString();
HashMap<String, Object> patch = new HashMap<String, Object>();
if (attributes.contains("first_name")) {
if (!fromServer.getAttribs().get("first_name").getValues().get(0).equalsIgnoreCase(user.getAttribs().get("first_name").getValues().get(0))) {
patch.put("first_name", user.getAttribs().get("first_name").getValues().get(0));
}
}
if (attributes.contains("last_name")) {
if (!fromServer.getAttribs().get("last_name").getValues().get(0).equalsIgnoreCase(user.getAttribs().get("last_name").getValues().get(0))) {
patch.put("last_name", user.getAttribs().get("last_name").getValues().get(0));
}
}
if (attributes.contains("email")) {
if (!fromServer.getAttribs().get("email").getValues().get(0).equalsIgnoreCase(user.getAttribs().get("email").getValues().get(0))) {
patch.put("email", user.getAttribs().get("email").getValues().get(0));
}
}
List<String> newGroups = new ArrayList<String>();
List<String> added = new ArrayList<String>();
newGroups.addAll(fromServer.getGroups());
for (String groupFromUser : user.getGroups()) {
if (!newGroups.contains(groupFromUser)) {
newGroups.add(groupFromUser);
added.add(groupFromUser);
}
}
List<String> removed = new ArrayList<String>();
if (!addOnly) {
for (String newGroup : newGroups) {
if (!user.getGroups().contains(newGroup)) {
removed.add(newGroup);
}
}
if (removed.size() > 0) {
newGroups.removeAll(removed);
}
}
if (added.size() > 0 || removed.size() > 0) {
patch.put("groups", newGroups);
}
if (patch.size() > 0) {
HashMap<String, Object> spec = new HashMap<String, Object>();
spec.put("spec", patch);
String json = this.gsonNoUnderScore.toJson(spec);
try {
HttpCon con = k8s.createClient();
try {
k8s.callWSPatchJson(k8s.getAuthToken(), con, url, json);
for (String attrName : patch.keySet()) {
if (attrName.equalsIgnoreCase("groups")) {
for (String group : added) {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, "group", group);
}
for (String group : removed) {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Delete, approvalID, workflow, "group", group);
}
} else {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name, false, ActionType.Replace, approvalID, workflow, attrName, patch.get(attrName).toString());
}
}
// GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().logAction(this.name,true, ActionType.Delete, approvalID, workflow,"sub", user.getUserID());
} finally {
con.getHttp().close();
con.getBcm().close();
}
} catch (Exception e) {
logger.error("Could not search k8s", e);
throw new ProvisioningException("Error searching kubernetes", e);
}
}
}
}
use of com.tremolosecurity.provisioning.core.Workflow in project OpenUnison by TremoloSecurity.
the class ClearJobs method execute.
@Override
public void execute(ConfigManager configManager, JobExecutionContext context) throws ProvisioningException {
if (configManager == null || configManager.getProvisioningEngine() == null) {
logger.warn("System not fully initialized");
return;
}
String target = context.getJobDetail().getJobDataMap().getString("target");
String uri = context.getJobDetail().getJobDataMap().getString("uri");
String labels = context.getJobDetail().getJobDataMap().getString("labels");
String workflowName = context.getJobDetail().getJobDataMap().getString("workflow");
String runWorkflowAsUsername = context.getJobDetail().getJobDataMap().getString("runWorkflowAsUsername");
String runWorkflowAsUsernameAttribute = context.getJobDetail().getJobDataMap().getString("runWorkflowAsUsernameAttribute");
OpenShiftTarget os = (OpenShiftTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(target).getProvider();
HttpCon con = null;
try {
con = os.createClient();
String token = os.getAuthToken();
String finalUri = uri + "?labelSelector=" + URLEncoder.encode(labels, "UTF-8");
String jsonResponse = os.callWS(token, con, finalUri);
logger.info(jsonResponse);
JSONObject root = (JSONObject) new JSONParser().parse(jsonResponse);
JSONArray items = (JSONArray) root.get("items");
for (Object o : items) {
JSONObject job = (JSONObject) o;
JSONObject metadata = (JSONObject) job.get("metadata");
JSONObject status = (JSONObject) job.get("status");
if (status != null) {
Long succeed = (Long) status.get("succeeded");
if (succeed != null && succeed.intValue() == 1) {
HashMap<String, Object> request = new HashMap<String, Object>();
request.put("job_name", (String) metadata.get("name"));
JSONObject jobLabels = (JSONObject) metadata.get("labels");
if (jobLabels != null) {
for (Object keyO : jobLabels.keySet()) {
String key = (String) keyO;
logger.info("label - '" + key + "'='" + jobLabels.get(key) + "'");
request.put("job_labels_" + key, jobLabels.get(key));
}
}
User user = new User();
user.setUserID(runWorkflowAsUsername);
user.setRequestReason("Clearing completed job " + metadata.get("name"));
user.getAttribs().put(runWorkflowAsUsernameAttribute, new Attribute(runWorkflowAsUsernameAttribute, runWorkflowAsUsername));
Workflow wf = GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(workflowName, user);
logger.info(request);
wf.executeWorkflow(user, request);
}
}
}
} catch (Exception e) {
throw new ProvisioningException("Could not clear object", e);
} finally {
if (con != null) {
con.getBcm().close();
try {
con.getHttp().close();
} catch (IOException e) {
logger.warn("Could not close connection", e);
}
}
}
}
use of com.tremolosecurity.provisioning.core.Workflow in project OpenUnison by TremoloSecurity.
the class AddGroupToRole method doTask.
@Override
public boolean doTask(User user, Map<String, Object> request) throws ProvisioningException {
int approvalID = 0;
if (request.containsKey("APPROVAL_ID")) {
approvalID = (Integer) request.get("APPROVAL_ID");
}
Workflow workflow = (Workflow) request.get("WORKFLOW");
String localProjectName = task.renderTemplate(projectName, request);
String localGroupName = task.renderTemplate(groupName, request);
String localPolicyName = task.renderTemplate(roleName, request);
HttpCon con = null;
OpenShiftTarget os = (OpenShiftTarget) task.getConfigManager().getProvisioningEngine().getTarget("openshift").getProvider();
try {
String token = os.getAuthToken();
con = os.createClient();
if (this.openShiftVersion == 3.6) {
addTo36Role(os, token, con, localProjectName, localPolicyName, localGroupName, approvalID);
} else {
addToRBACRole(os, token, con, localProjectName, localPolicyName, localGroupName, approvalID);
}
} catch (Exception e) {
throw new ProvisioningException("Could not add group to role", e);
} finally {
if (con != null) {
con.getBcm().close();
}
}
return true;
}
use of com.tremolosecurity.provisioning.core.Workflow in project OpenUnison by TremoloSecurity.
the class CreateProject method doTask.
@Override
public boolean doTask(User user, Map<String, Object> request) throws ProvisioningException {
String localTemplate = task.renderTemplate(template, request);
if (logger.isDebugEnabled()) {
logger.debug("localTemplate : '" + localTemplate + "'");
}
int approvalID = 0;
if (request.containsKey("APPROVAL_ID")) {
approvalID = (Integer) request.get("APPROVAL_ID");
}
Workflow workflow = (Workflow) request.get("WORKFLOW");
HttpCon con = null;
OpenShiftTarget os = (OpenShiftTarget) task.getConfigManager().getProvisioningEngine().getTarget("openshift").getProvider();
try {
String token = os.getAuthToken();
con = os.createClient();
if (!os.isObjectExists(token, con, "/apis/project.openshift.io/v1/projects", localTemplate)) {
String respJSON = os.callWSPost(token, con, "/apis/project.openshift.io/v1/projectrequests", localTemplate);
if (logger.isDebugEnabled()) {
logger.debug("Response for creating project : '" + respJSON + "'");
}
JSONParser parser = new JSONParser();
JSONObject resp = (JSONObject) parser.parse(respJSON);
String kind = (String) resp.get("kind");
String projectName = (String) ((JSONObject) resp.get("metadata")).get("name");
if (!kind.equalsIgnoreCase("Project")) {
throw new ProvisioningException("Could not create project with json '" + localTemplate + "' - '" + respJSON + "'");
} else {
this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project", projectName);
}
}
} catch (Exception e) {
throw new ProvisioningException("Could not create project", e);
} finally {
if (con != null) {
con.getBcm().close();
}
}
return true;
}
Aggregations