Search in sources :

Example 1 with Approval

use of com.tremolosecurity.provisioning.tasks.Approval in project OpenUnison by TremoloSecurity.

the class SendMessageThread method doApproval.

/* (non-Javadoc)
	 * @see com.tremolosecurity.provisioning.core.ProvisioningEngine#doApproval(int, java.lang.String, boolean, java.lang.String)
	 */
@Override
public void doApproval(int id, String userID, boolean approved, String reason) throws ProvisioningException {
    org.hibernate.Session session = this.sessionFactory.openSession();
    try {
        StringBuffer b = new StringBuffer();
        LDAPSearchResults res = this.cfgMgr.getMyVD().search(this.cfgMgr.getCfg().getLdapRoot(), 2, equal(this.userIDAttributeName, userID).toString(), new ArrayList<String>());
        if (!res.hasMore()) {
            throw new ProvisioningException("Could not locate approver '" + userID + "'");
        }
        LDAPEntry approver = res.next();
        AuthInfo auinfo = new AuthInfo();
        auinfo.setUserDN(approver.getDN());
        LDAPAttributeSet attrs = approver.getAttributeSet();
        for (Object obj : attrs) {
            LDAPAttribute attr = (LDAPAttribute) obj;
            Attribute attrib = new Attribute(attr.getName());
            String[] vals = attr.getStringValueArray();
            for (String val : vals) {
                attrib.getValues().add(val);
            }
            auinfo.getAttribs().put(attrib.getName(), attrib);
        }
        while (res.hasMore()) res.next();
        Query query = session.createQuery("FROM Approvers WHERE userKey = :user_key");
        query.setParameter("user_key", userID);
        List<Approvers> approvers = query.list();
        Approvers approverObj = null;
        if (logger.isDebugEnabled()) {
            logger.debug("Approver UserID : " + userID);
        }
        int approverID;
        if (approvers.size() == 0) {
            approverObj = new Approvers();
            approverObj.setUserKey(userID);
            session.save(approverObj);
            approverID = approverObj.getId();
        } else {
            approverObj = approvers.get(0);
            approverID = approverObj.getId();
        }
        session.beginTransaction();
        boolean changed = false;
        for (String attrName : this.getApproverAttributes()) {
            boolean found = false;
            for (ApproverAttributes appAttr : approverObj.getApproverAttributeses()) {
                if (attrName.equalsIgnoreCase(appAttr.getName())) {
                    found = true;
                    LDAPAttribute approverAttr = approver.getAttribute(attrName);
                    if (approverAttr != null) {
                        if (!approverAttr.getStringValue().equals(appAttr.getValue())) {
                            appAttr.setValue(approverAttr.getStringValue());
                            session.save(appAttr);
                        }
                    }
                }
            }
            if (!found) {
                ApproverAttributes attr = new ApproverAttributes();
                attr.setName(attrName);
                LDAPAttribute approverAttr = approver.getAttribute(attrName);
                if (approverAttr != null) {
                    attr.setValue(approverAttr.getStringValue());
                }
                attr.setApprovers(approverObj);
                approverObj.getApproverAttributeses().add(attr);
                session.save(attr);
                changed = true;
            }
        }
        Approvals approvals = session.load(Approvals.class, id);
        if (approvals == null) {
            throw new ProvisioningException("Approval not found");
        }
        Gson gson = new Gson();
        String json = approvals.getWorkflowObj();
        Token token = gson.fromJson(json, Token.class);
        byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
        IvParameterSpec spec = new IvParameterSpec(iv);
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, this.cfgMgr.getSecretKey(this.cfgMgr.getCfg().getProvisioning().getApprovalDB().getEncryptionKey()), spec);
        byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
        String jsonDecr = new String(cipher.doFinal(encBytes));
        Workflow wf = (Workflow) JsonReader.jsonToJava(jsonDecr);
        Approval approval = (Approval) wf.findCurrentApprovalTask();
        if (approval == null) {
            throw new ProvisioningException("Could not locate approval step");
        }
        AzSys az = new AzSys();
        for (AzRule rule : approval.getAzRules()) {
            if (rule.getCustomAuthorization() != null) {
                rule.getCustomAuthorization().loadConfigManager(cfgMgr);
                rule.getCustomAuthorization().setWorkflow(wf);
            }
        }
        if (!az.checkRules(auinfo, this.cfgMgr, approval.getAzRules(), wf.getRequest())) {
            throw new ProvisioningException("Az of approval failed");
        }
        DateTime now = new DateTime();
        approvals.setWorkflowObj(null);
        approvals.setApprovedTs(new Timestamp(now.getMillis()));
        approvals.setApprovers(approverObj);
        approvals.setApproved(approved ? 1 : 0);
        approvals.setReason(reason);
        session.save(approvals);
        wf.getRequest().put(Approval.APPROVAL_RESULT, new Boolean(approved));
        approval.markComplete(approved);
        if (approved) {
            wf.reInit(cfgMgr);
            wf.restart();
        } else {
            if (wf.getUserNum() != wf.getRequesterNum()) {
                wf.getRequester().getAttribs().put("reason", new Attribute("reason", reason));
                if (!wf.getRequester().getAttribs().containsKey(approval.getMailAttr())) {
                    logger.warn("Can not send failure notification to " + wf.getRequester().getUserID() + ", no mail found");
                } else {
                    this.sendNotification(wf.getRequester().getAttribs().get(approval.getMailAttr()).getValues().get(0), approval.getFailureEmailMsg(), approval.getFailureEmailSubject(), wf.getRequester());
                }
            }
            wf.getUser().getAttribs().put("reason", new Attribute("reason", reason));
            if (!wf.getUser().getAttribs().containsKey(approval.getMailAttr())) {
                logger.warn("Can not send failure notification to " + wf.getUser().getUserID() + ", no mail found");
            } else {
                this.sendNotification(wf.getUser().getAttribs().get(approval.getMailAttr()).getValues().get(0), approval.getFailureEmailMsg(), approval.getFailureEmailSubject(), wf.getUser());
            }
            wf.reInit(cfgMgr);
            wf.restart();
        }
        session.getTransaction().commit();
    } catch (LDAPException e) {
        throw new ProvisioningException("Could not load approver", e);
    } catch (SQLException e) {
        throw new ProvisioningException("Could not load saved workflow", e);
    } catch (IOException e) {
        throw new ProvisioningException("Could not load saved workflow", e);
    } catch (ClassNotFoundException e) {
        throw new ProvisioningException("Could not load saved workflow", e);
    } catch (NoSuchAlgorithmException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (NoSuchPaddingException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (InvalidKeyException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (InvalidAlgorithmParameterException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (IllegalBlockSizeException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (BadPaddingException e) {
        throw new ProvisioningException("Could not decrypt workflow object", e);
    } catch (ProvisioningException e) {
        throw e;
    } catch (Exception e) {
        logger.error("Exception running workflow", e);
        throw new ProvisioningException("Exception running workflow", e);
    } finally {
        if (session != null) {
            session.close();
        }
    }
}
Also used : ApproverAttributes(com.tremolosecurity.provisioning.objects.ApproverAttributes) Query(org.hibernate.Query) Attribute(com.tremolosecurity.saml.Attribute) LDAPAttribute(com.novell.ldap.LDAPAttribute) SQLException(java.sql.SQLException) Approvals(com.tremolosecurity.provisioning.objects.Approvals) Gson(com.google.gson.Gson) IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException) Token(com.tremolosecurity.json.Token) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) BadPaddingException(javax.crypto.BadPaddingException) Timestamp(java.sql.Timestamp) DateTime(org.joda.time.DateTime) LDAPEntry(com.novell.ldap.LDAPEntry) Approvers(com.tremolosecurity.provisioning.objects.Approvers) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers) Approval(com.tremolosecurity.provisioning.tasks.Approval) LDAPAttribute(com.novell.ldap.LDAPAttribute) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) LDAPAttributeSet(com.novell.ldap.LDAPAttributeSet) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) IOException(java.io.IOException) InvalidKeyException(java.security.InvalidKeyException) InvocationTargetException(java.lang.reflect.InvocationTargetException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) LDAPException(com.novell.ldap.LDAPException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) SocketException(java.net.SocketException) SQLException(java.sql.SQLException) SchedulerException(org.quartz.SchedulerException) IOException(java.io.IOException) MessagingException(javax.mail.MessagingException) IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException) JMSException(javax.jms.JMSException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) BadPaddingException(javax.crypto.BadPaddingException) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException) AzSys(com.tremolosecurity.proxy.auth.AzSys) IvParameterSpec(javax.crypto.spec.IvParameterSpec) Cipher(javax.crypto.Cipher) AzRule(com.tremolosecurity.proxy.az.AzRule)

Example 2 with Approval

use of com.tremolosecurity.provisioning.tasks.Approval in project OpenUnison by TremoloSecurity.

the class UpdateApprovalAZListener method updateAllowedApprovals.

private void updateAllowedApprovals(ConfigManager cfg, int approvalID, String workflowObj) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, IOException, ClassNotFoundException, ProvisioningException, SQLException, InvalidAlgorithmParameterException {
    SecretKey decryptionKey = cfg.getSecretKey(cfg.getCfg().getProvisioning().getApprovalDB().getEncryptionKey());
    Gson gson = new Gson();
    Token token = gson.fromJson(workflowObj, Token.class);
    byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
    IvParameterSpec spec = new IvParameterSpec(iv);
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, decryptionKey, spec);
    byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
    String json = new String(cipher.doFinal(encBytes));
    Workflow wf = (Workflow) JsonReader.jsonToJava(json);
    Approval approval = (Approval) wf.findCurrentApprovalTask();
    if (approval == null) {
        throw new ProvisioningException("Could not locate approval step");
    }
    Set<Integer> currentApprovers = new HashSet<Integer>();
    Session session = cfg.getProvisioningEngine().getHibernateSessionFactory().openSession();
    try {
        Approvals approvalObj = session.load(Approvals.class, approval.getId());
        for (AllowedApprovers approver : approvalObj.getAllowedApproverses()) {
            currentApprovers.add(approver.getApprovers().getId());
        }
        session.beginTransaction();
        for (AllowedApprovers approver : approvalObj.getAllowedApproverses()) {
            session.delete(approver);
        }
        approvalObj.getAllowedApproverses().clear();
        approval.updateAllowedApprovals(session, cfg, wf.getRequest());
        // need to write the approval back to the db
        json = JsonWriter.objectToJson(wf);
        cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        cipher.init(Cipher.ENCRYPT_MODE, decryptionKey);
        byte[] encJson = cipher.doFinal(json.getBytes("UTF-8"));
        String base64d = new String(org.bouncycastle.util.encoders.Base64.encode(encJson));
        token = new Token();
        token.setEncryptedRequest(base64d);
        token.setIv(new String(org.bouncycastle.util.encoders.Base64.encode(cipher.getIV())));
        // String base64 = new String(org.bouncycastle.util.encoders.Base64.encode(baos.toByteArray()));
        approvalObj.setWorkflowObj(gson.toJson(token));
        session.save(approvalObj);
        session.getTransaction().commit();
        approvalObj = session.load(Approvals.class, approvalObj.getId());
        for (AllowedApprovers approver : approvalObj.getAllowedApproverses()) {
            if (!currentApprovers.contains(approver.getApprovers().getId())) {
                this.sendNotification(approval.getEmailTemplate(), cfg, session, approver.getApprovers().getUserKey());
            }
        }
    } catch (Throwable t) {
        try {
            if (session != null) {
                session.getTransaction().rollback();
            }
        } catch (Throwable tx) {
        }
        ;
        throw t;
    } finally {
        if (session != null) {
            session.close();
        }
    }
}
Also used : Gson(com.google.gson.Gson) Workflow(com.tremolosecurity.provisioning.core.Workflow) Approvals(com.tremolosecurity.provisioning.objects.Approvals) Token(com.tremolosecurity.json.Token) SecretKey(javax.crypto.SecretKey) AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IvParameterSpec(javax.crypto.spec.IvParameterSpec) Cipher(javax.crypto.Cipher) Approval(com.tremolosecurity.provisioning.tasks.Approval) HashSet(java.util.HashSet) Session(org.hibernate.Session)

Aggregations

Gson (com.google.gson.Gson)2 Token (com.tremolosecurity.json.Token)2 AllowedApprovers (com.tremolosecurity.provisioning.objects.AllowedApprovers)2 Approvals (com.tremolosecurity.provisioning.objects.Approvals)2 Approval (com.tremolosecurity.provisioning.tasks.Approval)2 Cipher (javax.crypto.Cipher)2 IvParameterSpec (javax.crypto.spec.IvParameterSpec)2 LDAPAttribute (com.novell.ldap.LDAPAttribute)1 LDAPAttributeSet (com.novell.ldap.LDAPAttributeSet)1 LDAPEntry (com.novell.ldap.LDAPEntry)1 LDAPException (com.novell.ldap.LDAPException)1 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)1 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)1 Workflow (com.tremolosecurity.provisioning.core.Workflow)1 ApproverAttributes (com.tremolosecurity.provisioning.objects.ApproverAttributes)1 Approvers (com.tremolosecurity.provisioning.objects.Approvers)1 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)1 AzSys (com.tremolosecurity.proxy.auth.AzSys)1 AzRule (com.tremolosecurity.proxy.az.AzRule)1 Attribute (com.tremolosecurity.saml.Attribute)1