Search in sources :

Example 1 with Approvers

use of com.tremolosecurity.provisioning.objects.Approvers in project OpenUnison by TremoloSecurity.

the class AzUtils method loadDNApprovers.

public static boolean loadDNApprovers(Approvals approval, String emailTemplate, ConfigManager cfg, Session session, int id2, String constraint, boolean sendNotification) throws ProvisioningException {
    ArrayList<String> attrs = new ArrayList<String>();
    attrs.add(cfg.getProvisioningEngine().getUserIDAttribute());
    LDAPSearchResults res = null;
    LDAPEntry entry = null;
    boolean found = false;
    try {
        res = cfg.getMyVD().search(constraint, 2, equal("objectClass", cfg.getCfg().getUserObjectClass()).toString(), attrs);
        while (res.hasMore()) {
            entry = res.next();
            Approvers approver = getApproverByDN(approval, emailTemplate, cfg, session, entry.getDN(), sendNotification);
            if (approver == null) {
                continue;
            }
            found = true;
            AllowedApprovers allowedApprover = new AllowedApprovers();
            allowedApprover.setApprovals(approval);
            allowedApprover.setApprovers(approver);
            session.save(allowedApprover);
        }
    } catch (Exception e) {
        throw new ProvisioningException("Could not find approvers", e);
    }
    return found;
}
Also used : LDAPEntry(com.novell.ldap.LDAPEntry) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers) Approvers(com.tremolosecurity.provisioning.objects.Approvers) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) ArrayList(java.util.ArrayList) LDAPException(com.novell.ldap.LDAPException) SQLException(java.sql.SQLException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) LDAPReferralException(com.novell.ldap.LDAPReferralException)

Example 2 with Approvers

use of com.tremolosecurity.provisioning.objects.Approvers in project OpenUnison by TremoloSecurity.

the class SendMessageThread method doApproval.

/* (non-Javadoc)
	 * @see com.tremolosecurity.provisioning.core.ProvisioningEngine#doApproval(int, java.lang.String, boolean, java.lang.String)
	 */
@Override
public void doApproval(int id, String userID, boolean approved, String reason) throws ProvisioningException {
    org.hibernate.Session session = this.sessionFactory.openSession();
    try {
        StringBuffer b = new StringBuffer();
        LDAPSearchResults res = this.cfgMgr.getMyVD().search(this.cfgMgr.getCfg().getLdapRoot(), 2, equal(this.userIDAttributeName, userID).toString(), new ArrayList<String>());
        if (!res.hasMore()) {
            throw new ProvisioningException("Could not locate approver '" + userID + "'");
        }
        LDAPEntry approver = res.next();
        AuthInfo auinfo = new AuthInfo();
        auinfo.setUserDN(approver.getDN());
        LDAPAttributeSet attrs = approver.getAttributeSet();
        for (Object obj : attrs) {
            LDAPAttribute attr = (LDAPAttribute) obj;
            Attribute attrib = new Attribute(attr.getName());
            String[] vals = attr.getStringValueArray();
            for (String val : vals) {
                attrib.getValues().add(val);
            }
            auinfo.getAttribs().put(attrib.getName(), attrib);
        }
        while (res.hasMore()) res.next();
        Query query = session.createQuery("FROM Approvers WHERE userKey = :user_key");
        query.setParameter("user_key", userID);
        List<Approvers> approvers = query.list();
        Approvers approverObj = null;
        if (logger.isDebugEnabled()) {
            logger.debug("Approver UserID : " + userID);
        }
        int approverID;
        if (approvers.size() == 0) {
            approverObj = new Approvers();
            approverObj.setUserKey(userID);
            session.save(approverObj);
            approverID = approverObj.getId();
        } else {
            approverObj = approvers.get(0);
            approverID = approverObj.getId();
        }
        session.beginTransaction();
        boolean changed = false;
        for (String attrName : this.getApproverAttributes()) {
            boolean found = false;
            for (ApproverAttributes appAttr : approverObj.getApproverAttributeses()) {
                if (attrName.equalsIgnoreCase(appAttr.getName())) {
                    found = true;
                    LDAPAttribute approverAttr = approver.getAttribute(attrName);
                    if (approverAttr != null) {
                        if (!approverAttr.getStringValue().equals(appAttr.getValue())) {
                            appAttr.setValue(approverAttr.getStringValue());
                            session.save(appAttr);
                        }
                    }
                }
            }
            if (!found) {
                ApproverAttributes attr = new ApproverAttributes();
                attr.setName(attrName);
                LDAPAttribute approverAttr = approver.getAttribute(attrName);
                if (approverAttr != null) {
                    attr.setValue(approverAttr.getStringValue());
                }
                attr.setApprovers(approverObj);
                approverObj.getApproverAttributeses().add(attr);
                session.save(attr);
                changed = true;
            }
        }
        Approvals approvals = session.load(Approvals.class, id);
        if (approvals == null) {
            throw new ProvisioningException("Approval not found");
        }
        Gson gson = new Gson();
        String json = approvals.getWorkflowObj();
        Token token = gson.fromJson(json, Token.class);
        byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
        IvParameterSpec spec = new IvParameterSpec(iv);
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, this.cfgMgr.getSecretKey(this.cfgMgr.getCfg().getProvisioning().getApprovalDB().getEncryptionKey()), spec);
        byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
        String jsonDecr = new String(cipher.doFinal(encBytes));
        Workflow wf = (Workflow) JsonReader.jsonToJava(jsonDecr);
        Approval approval = (Approval) wf.findCurrentApprovalTask();
        if (approval == null) {
            throw new ProvisioningException("Could not locate approval step");
        }
        AzSys az = new AzSys();
        for (AzRule rule : approval.getAzRules()) {
            if (rule.getCustomAuthorization() != null) {
                rule.getCustomAuthorization().loadConfigManager(cfgMgr);
                rule.getCustomAuthorization().setWorkflow(wf);
            }
        }
        if (!az.checkRules(auinfo, this.cfgMgr, approval.getAzRules(), wf.getRequest())) {
            throw new ProvisioningException("Az of approval failed");
        }
        DateTime now = new DateTime();
        approvals.setWorkflowObj(null);
        approvals.setApprovedTs(new Timestamp(now.getMillis()));
        approvals.setApprovers(approverObj);
        approvals.setApproved(approved ? 1 : 0);
        approvals.setReason(reason);
        session.save(approvals);
        wf.getRequest().put(Approval.APPROVAL_RESULT, new Boolean(approved));
        approval.markComplete(approved);
        if (approved) {
            wf.reInit(cfgMgr);
            wf.restart();
        } else {
            if (wf.getUserNum() != wf.getRequesterNum()) {
                wf.getRequester().getAttribs().put("reason", new Attribute("reason", reason));
                if (!wf.getRequester().getAttribs().containsKey(approval.getMailAttr())) {
                    logger.warn("Can not send failure notification to " + wf.getRequester().getUserID() + ", no mail found");
                } else {
                    this.sendNotification(wf.getRequester().getAttribs().get(approval.getMailAttr()).getValues().get(0), approval.getFailureEmailMsg(), approval.getFailureEmailSubject(), wf.getRequester());
                }
            }
            wf.getUser().getAttribs().put("reason", new Attribute("reason", reason));
            if (!wf.getUser().getAttribs().containsKey(approval.getMailAttr())) {
                logger.warn("Can not send failure notification to " + wf.getUser().getUserID() + ", no mail found");
            } else {
                this.sendNotification(wf.getUser().getAttribs().get(approval.getMailAttr()).getValues().get(0), approval.getFailureEmailMsg(), approval.getFailureEmailSubject(), wf.getUser());
            }
            wf.reInit(cfgMgr);
            wf.restart();
        }
        session.getTransaction().commit();
    } catch (LDAPException e) {
        throw new ProvisioningException("Could not load approver", e);
    } catch (SQLException e) {
        throw new ProvisioningException("Could not load saved workflow", e);
    } catch (IOException e) {
        throw new ProvisioningException("Could not load saved workflow", e);
    } catch (ClassNotFoundException e) {
        throw new ProvisioningException("Could not load saved workflow", e);
    } catch (NoSuchAlgorithmException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (NoSuchPaddingException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (InvalidKeyException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (InvalidAlgorithmParameterException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (IllegalBlockSizeException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (BadPaddingException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (ProvisioningException e) {
        throw e;
    } catch (Exception e) {
        logger.error("Exception running workflow", e);
        throw new ProvisioningException("Exception running workflow", e);
    } finally {
        if (session != null) {
            session.close();
        }
    }
}
Also used : ApproverAttributes(com.tremolosecurity.provisioning.objects.ApproverAttributes) Query(org.hibernate.Query) Attribute(com.tremolosecurity.saml.Attribute) LDAPAttribute(com.novell.ldap.LDAPAttribute) SQLException(java.sql.SQLException) Approvals(com.tremolosecurity.provisioning.objects.Approvals) Gson(com.google.gson.Gson) IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException) Token(com.tremolosecurity.json.Token) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) BadPaddingException(javax.crypto.BadPaddingException) Timestamp(java.sql.Timestamp) DateTime(org.joda.time.DateTime) LDAPEntry(com.novell.ldap.LDAPEntry) Approvers(com.tremolosecurity.provisioning.objects.Approvers) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers) Approval(com.tremolosecurity.provisioning.tasks.Approval) LDAPAttribute(com.novell.ldap.LDAPAttribute) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) LDAPAttributeSet(com.novell.ldap.LDAPAttributeSet) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) IOException(java.io.IOException) InvalidKeyException(java.security.InvalidKeyException) InvocationTargetException(java.lang.reflect.InvocationTargetException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) LDAPException(com.novell.ldap.LDAPException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) SocketException(java.net.SocketException) SQLException(java.sql.SQLException) SchedulerException(org.quartz.SchedulerException) IOException(java.io.IOException) MessagingException(javax.mail.MessagingException) IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException) JMSException(javax.jms.JMSException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) BadPaddingException(javax.crypto.BadPaddingException) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException) AzSys(com.tremolosecurity.proxy.auth.AzSys) IvParameterSpec(javax.crypto.spec.IvParameterSpec) Cipher(javax.crypto.Cipher) AzRule(com.tremolosecurity.proxy.az.AzRule)

Example 3 with Approvers

use of com.tremolosecurity.provisioning.objects.Approvers in project OpenUnison by TremoloSecurity.

the class AzUtils method loadFilterApprovers.

public static boolean loadFilterApprovers(Approvals approval, String emailTemplate, ConfigManager cfg, Session session, int id, String constraint, boolean sendNotification) throws ProvisioningException {
    ArrayList<String> attrs = new ArrayList<String>();
    // attrs.add(cfg.getProvisioningEngine().getUserIDAttribute());
    LDAPSearchResults res = null;
    LDAPEntry entry = null;
    boolean found = false;
    try {
        res = cfg.getMyVD().search(cfg.getCfg().getLdapRoot(), 2, constraint, attrs);
        while (res.hasMore()) {
            entry = res.next();
            LDAPAttribute attr = entry.getAttribute(cfg.getProvisioningEngine().getUserIDAttribute());
            if (attr == null) {
                continue;
            }
            if (sendNotification) {
                if (entry.getAttribute("mail") == null) {
                    StringBuffer b = new StringBuffer();
                    b.append("No email address for ").append(entry.getDN());
                    logger.warn(b.toString());
                } else {
                    String mail = entry.getAttribute("mail").getStringValue();
                    cfg.getProvisioningEngine().sendNotification(mail, emailTemplate, new User(entry));
                }
            }
            String uid = attr.getStringValue();
            Approvers approver = getApprover(approval, emailTemplate, cfg, session, uid, entry);
            if (approver == null) {
                continue;
            }
            found = true;
            AllowedApprovers allowed = new AllowedApprovers();
            allowed.setApprovals(approval);
            allowed.setApprovers(approver);
            session.save(allowed);
        }
    } catch (Exception e) {
        throw new ProvisioningException("Could not find approvers", e);
    }
    return found;
}
Also used : LDAPAttribute(com.novell.ldap.LDAPAttribute) User(com.tremolosecurity.provisioning.core.User) ArrayList(java.util.ArrayList) LDAPException(com.novell.ldap.LDAPException) SQLException(java.sql.SQLException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) LDAPReferralException(com.novell.ldap.LDAPReferralException) LDAPEntry(com.novell.ldap.LDAPEntry) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers) Approvers(com.tremolosecurity.provisioning.objects.Approvers) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)

Example 4 with Approvers

use of com.tremolosecurity.provisioning.objects.Approvers in project OpenUnison by TremoloSecurity.

the class AzUtils method getApprover.

public static Approvers getApprover(Approvals approval, String emailTemplate, ConfigManager cfg, Session session, String userID, LDAPEntry approver) throws SQLException {
    Query query = session.createQuery("FROM Approvers WHERE userKey = :user_key");
    query.setParameter("user_key", userID);
    List<Approvers> approvers = query.list();
    Approvers approverObj = null;
    if (logger.isDebugEnabled()) {
        logger.debug("Approver UserID : " + userID);
    }
    int approverID;
    if (approvers.size() == 0) {
        approverObj = new Approvers();
        approverObj.setUserKey(userID);
        session.save(approverObj);
        approverID = approverObj.getId();
    } else {
        approverObj = approvers.get(0);
        approverID = approverObj.getId();
    }
    boolean changed = false;
    for (String attrName : cfg.getProvisioningEngine().getApproverAttributes()) {
        boolean found = false;
        for (ApproverAttributes appAttr : approverObj.getApproverAttributeses()) {
            if (attrName.equalsIgnoreCase(appAttr.getName())) {
                found = true;
                LDAPAttribute approverAttr = approver.getAttribute(attrName);
                if (approverAttr != null) {
                    if (!approverAttr.getStringValue().equals(appAttr.getValue())) {
                        appAttr.setValue(approverAttr.getStringValue());
                        session.save(appAttr);
                    }
                }
            }
        }
        if (!found) {
            ApproverAttributes attr = new ApproverAttributes();
            attr.setName(attrName);
            LDAPAttribute approverAttr = approver.getAttribute(attrName);
            if (approverAttr != null) {
                attr.setValue(approverAttr.getStringValue());
                attr.setApprovers(approverObj);
                approverObj.getApproverAttributeses().add(attr);
                session.save(attr);
            }
            changed = true;
        }
    }
    return approverObj;
}
Also used : LDAPAttribute(com.novell.ldap.LDAPAttribute) ApproverAttributes(com.tremolosecurity.provisioning.objects.ApproverAttributes) Query(org.hibernate.Query) Approvers(com.tremolosecurity.provisioning.objects.Approvers) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers)

Example 5 with Approvers

use of com.tremolosecurity.provisioning.objects.Approvers in project OpenUnison by TremoloSecurity.

the class AzUtils method loadStaticGroupApprovers.

public static boolean loadStaticGroupApprovers(Approvals approval, String emailTemplate, ConfigManager cfg, Session session, int id, String constraint, boolean sendNotification) throws ProvisioningException {
    ArrayList<String> attrs = new ArrayList<String>();
    attrs.add(cfg.getCfg().getGroupMemberAttribute());
    LDAPSearchResults res = null;
    LDAPEntry entry = null;
    boolean found = false;
    try {
        res = cfg.getMyVD().search(constraint, 0, "(objectClass=*)", attrs);
        if (res.hasMore()) {
            entry = res.next();
        }
    } catch (LDAPException e) {
        throw new ProvisioningException("Could not find group", e);
    }
    if (entry != null) {
        LDAPAttribute members = entry.getAttribute(cfg.getCfg().getGroupMemberAttribute());
        String[] dns = members != null ? members.getStringValueArray() : new String[0];
        if (dns.length == 0) {
            StringBuffer b = new StringBuffer();
            b.append(constraint).append(" does not have any members");
            logger.warn(b.toString());
        }
        try {
            for (String dn : dns) {
                Approvers approver = getApproverByDN(approval, emailTemplate, cfg, session, dn, sendNotification);
                if (approver == null) {
                    continue;
                }
                AllowedApprovers allowed = new AllowedApprovers();
                allowed.setApprovals(approval);
                allowed.setApprovers(approver);
                session.save(allowed);
                found = true;
            }
        } catch (Exception e) {
            throw new ProvisioningException("Could not load approvers", e);
        }
    }
    return found;
}
Also used : LDAPAttribute(com.novell.ldap.LDAPAttribute) ArrayList(java.util.ArrayList) LDAPException(com.novell.ldap.LDAPException) SQLException(java.sql.SQLException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) LDAPReferralException(com.novell.ldap.LDAPReferralException) LDAPEntry(com.novell.ldap.LDAPEntry) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) Approvers(com.tremolosecurity.provisioning.objects.Approvers) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers)

Aggregations

AllowedApprovers (com.tremolosecurity.provisioning.objects.AllowedApprovers)6 Approvers (com.tremolosecurity.provisioning.objects.Approvers)6 LDAPException (com.novell.ldap.LDAPException)5 SQLException (java.sql.SQLException)5 LDAPAttribute (com.novell.ldap.LDAPAttribute)4 LDAPEntry (com.novell.ldap.LDAPEntry)4 LDAPReferralException (com.novell.ldap.LDAPReferralException)4 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)4 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)4 ArrayList (java.util.ArrayList)3 ApproverAttributes (com.tremolosecurity.provisioning.objects.ApproverAttributes)2 Query (org.hibernate.Query)2 Gson (com.google.gson.Gson)1 LDAPAttributeSet (com.novell.ldap.LDAPAttributeSet)1 Token (com.tremolosecurity.json.Token)1 User (com.tremolosecurity.provisioning.core.User)1 Approvals (com.tremolosecurity.provisioning.objects.Approvals)1 Approval (com.tremolosecurity.provisioning.tasks.Approval)1 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)1 AzSys (com.tremolosecurity.proxy.auth.AzSys)1