Search in sources :

Example 36 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class AuthManagerImpl method finishSuccessfulLogin.

/* (non-Javadoc)
	 * @see com.tremolosecurity.proxy.auth.sys.AuthManager#finishSuccessfulLogin(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, com.tremolosecurity.config.util.UrlHolder, com.tremolosecurity.config.xml.AuthChainType, com.tremolosecurity.proxy.auth.RequestHolder, com.tremolosecurity.proxy.auth.AuthController, com.tremolosecurity.proxy.util.NextSys)
	 */
@Override
public boolean finishSuccessfulLogin(HttpServletRequest req, HttpServletResponse resp, UrlHolder holder, AuthChainType act, RequestHolder reqHolder, AuthController actl, NextSys next) throws IOException, ServletException {
    ConfigManager cfg = (ConfigManager) req.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
    AuthInfo ai = actl.getAuthInfo();
    ai.setAuthComplete(true);
    StringBuffer msg = new StringBuffer();
    msg.append(act.getLevel()).append(" / ").append(act.getName());
    AccessLog.log(AccessEvent.AuSuccess, holder.getApp(), req, ai, msg.toString());
    StringBuffer redirURL;
    if (reqHolder == null) {
        Cookie sessionCookieName = new Cookie("autoIdmSessionCookieName", "DNE");
        String domain = ProxyTools.getInstance().getCookieDomain(holder.getApp().getCookieConfig(), req);
        if (domain != null) {
            sessionCookieName.setDomain(domain);
        }
        sessionCookieName.setPath("/");
        sessionCookieName.setMaxAge(0);
        sessionCookieName.setSecure(false);
        // resp.addCookie(sessionCookieName);
        if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
            ProxyResponse.addCookieToResponse(holder, sessionCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
        }
        Cookie appCookieName = new Cookie("autoIdmAppName", "DNE");
        if (domain != null) {
            appCookieName.setDomain(domain);
        }
        appCookieName.setPath("/");
        appCookieName.setMaxAge(0);
        appCookieName.setSecure(false);
        // resp.addCookie(appCookieName);
        if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
            ProxyResponse.addCookieToResponse(holder, appCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
        }
        AuthMgrSys ams = new AuthMgrSys(null);
        try {
            ams.processAuthResp(req, resp, holder, new Boolean(true));
        } catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
            throw new ServletException("Could not initialize custom response", e);
        }
        return true;
    } else {
        switch(reqHolder.getMethod()) {
            case GET:
                redirURL = getGetRedirectURL(reqHolder);
                Cookie sessionCookieName = new Cookie("autoIdmSessionCookieName", "DNE");
                String domain = ProxyTools.getInstance().getCookieDomain(holder.getApp().getCookieConfig(), req);
                if (domain != null) {
                    sessionCookieName.setDomain(domain);
                }
                sessionCookieName.setPath("/");
                sessionCookieName.setMaxAge(0);
                sessionCookieName.setSecure(false);
                // resp.addCookie(sessionCookieName);
                if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
                    ProxyResponse.addCookieToResponse(holder, sessionCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
                }
                Cookie appCookieName = new Cookie("autoIdmAppName", "DNE");
                if (domain != null) {
                    appCookieName.setDomain(domain);
                }
                appCookieName.setPath("/");
                appCookieName.setMaxAge(0);
                appCookieName.setSecure(false);
                // resp.addCookie(appCookieName);
                if ((holder.getApp() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig() == null || holder.getApp().getCookieConfig().isCookiesEnabled() == null) || holder.getApp().getCookieConfig().isCookiesEnabled()) {
                    ProxyResponse.addCookieToResponse(holder, appCookieName, (HttpServletResponse) ((ProxyResponse) resp).getResponse());
                }
                break;
            case POST:
                redirURL = new StringBuffer(holder.getConfig().getAuthFormsPath()).append("postPreservation.jsp");
                break;
            default:
                redirURL = new StringBuffer(reqHolder.getURL());
        }
        req.setAttribute(AuthMgrSys.AU_RES, new Boolean(true));
        AuthMgrSys ams = new AuthMgrSys(null);
        try {
            ams.processAuthResp(req, resp, holder, new Boolean(true));
        } catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
            throw new ServletException("Could not initialize custom response", e);
        }
        if (act.getCompliance() != null && act.getCompliance().isEnabled()) {
            Attribute uidAttribute = actl.getAuthInfo().getAttribs().get(act.getCompliance().getUidAttributeName());
            if (uidAttribute != null) {
                String uid = uidAttribute.getValues().get(0);
                User updateAttrs = new User(uid);
                updateAttrs.getAttribs().put(act.getCompliance().getLastSucceedAttribute(), new Attribute(act.getCompliance().getLastSucceedAttribute(), Long.toString(new DateTime(DateTimeZone.UTC).getMillis())));
                updateAttrs.getAttribs().put(act.getCompliance().getNumFailedAttribute(), new Attribute(act.getCompliance().getNumFailedAttribute(), "0"));
                updateAttrs.getAttribs().put(act.getCompliance().getUidAttributeName(), new Attribute(act.getCompliance().getUidAttributeName(), uid));
                if (GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getUserAttrbiutes() != null) {
                    for (String attrName : GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getUserAttrbiutes()) {
                        Attribute fromAuth = ai.getAttribs().get(attrName);
                        if (fromAuth != null) {
                            Attribute attrForWF = new Attribute(attrName);
                            attrForWF.getValues().addAll(fromAuth.getValues());
                            updateAttrs.getAttribs().put(attrName, attrForWF);
                        }
                    }
                }
                HashMap<String, Object> wfReq = new HashMap<String, Object>();
                wfReq.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
                try {
                    holder.getConfig().getProvisioningEngine().getWorkFlow(act.getCompliance().getUpdateAttributesWorkflow()).executeWorkflow(updateAttrs, wfReq);
                } catch (ProvisioningException e) {
                    throw new ServletException("Could not update successful login attribute", e);
                }
            }
        }
        // if
        // (redirURL.toString().equalsIgnoreCase(req.getRequestURL().toString())
        // || ( actl.getAuthSteps().size() == 1 && !
        // req.getRequestURI().startsWith(cfg.getAuthPath()))) {
        PostAuthSuccess postAuth = (PostAuthSuccess) req.getAttribute(PostAuthSuccess.POST_AUTH_ACTION);
        if (postAuth != null) {
            postAuth.runAfterSuccessfulAuthentication(req, resp, holder, act, reqHolder, actl, next);
        } else if (!req.getRequestURI().startsWith(cfg.getAuthPath())) {
            next.nextSys(req, resp);
        } else {
            resp.sendRedirect(redirURL.toString());
        }
        return false;
    }
}
Also used : Cookie(javax.servlet.http.Cookie) ProxyResponse(com.tremolosecurity.proxy.ProxyResponse) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) User(com.tremolosecurity.provisioning.core.User) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) ConfigManager(com.tremolosecurity.config.util.ConfigManager) DateTime(org.joda.time.DateTime) ServletException(javax.servlet.ServletException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) PostAuthSuccess(com.tremolosecurity.proxy.auth.PostAuthSuccess) AuthMgrSys(com.tremolosecurity.proxy.auth.AuthMgrSys)

Example 37 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class HttpBasicAuth method doAuth.

@Override
public void doAuth(HttpServletRequest request, HttpSession session, String uidAttr, final String userName, final String password, MyVDConnection myvd, AuthChainType act, AuthMechType amt, AuthStep as, ConfigManager cfgMgr) throws LDAPException {
    BasicHttpClientConnectionManager bhcm = new BasicHttpClientConnectionManager(cfgMgr.getHttpClientSocketRegistry());
    try {
        AuthCache authCache = new BasicAuthCache();
        BasicScheme basicAuth = new BasicScheme();
        HttpHost targetHost = new HttpHost(this.host, this.port);
        authCache.put(targetHost, basicAuth);
        HttpClientContext localcontext = HttpClientContext.create();
        localcontext.setAuthCache(authCache);
        Credentials user = new UsernamePasswordCredentials(userName, password);
        AuthScope scope = new AuthScope(this.host, this.port);
        CredentialsProvider credsProvider = new BasicCredentialsProvider();
        credsProvider.setCredentials(scope, user);
        CloseableHttpClient httpclient = HttpClients.custom().setConnectionManager(bhcm).setDefaultCredentialsProvider(credsProvider).build();
        HttpGet get = new HttpGet(this.url);
        try {
            HttpResponse res = httpclient.execute(targetHost, get, localcontext);
            if (res.getFirstHeader("UserJSON") != null) {
                String json = res.getFirstHeader("UserJSON").getValue();
                Gson gson = new Gson();
                AuthInfo authInfo = gson.fromJson(json, AuthInfo.class);
                StringBuffer b = new StringBuffer();
                b.append("uid=").append(userName).append(",").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot());
                authInfo.setUserDN(b.toString());
                authInfo.setAuthChain(act.getName());
                authInfo.setAuthLevel(act.getLevel());
                as.setExecuted(true);
                as.setSuccess(true);
                AuthController actl = (AuthController) session.getAttribute(ProxyConstants.AUTH_CTL);
                if (actl == null) {
                    actl = new AuthController();
                    session.setAttribute(ProxyConstants.AUTH_CTL, actl);
                }
                actl.setAuthInfo(authInfo);
            }
        } catch (Exception e) {
            throw new LDAPException("Could not authenticate user", LDAPException.OPERATIONS_ERROR, e.toString(), e);
        }
    } finally {
        bhcm.shutdown();
    }
}
Also used : BasicScheme(org.apache.http.impl.auth.BasicScheme) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) HttpGet(org.apache.http.client.methods.HttpGet) AuthCache(org.apache.http.client.AuthCache) BasicAuthCache(org.apache.http.impl.client.BasicAuthCache) HttpResponse(org.apache.http.HttpResponse) Gson(com.google.gson.Gson) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) BasicAuthCache(org.apache.http.impl.client.BasicAuthCache) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) CredentialsProvider(org.apache.http.client.CredentialsProvider) AuthController(com.tremolosecurity.proxy.auth.AuthController) ClientProtocolException(org.apache.http.client.ClientProtocolException) LDAPException(com.novell.ldap.LDAPException) MalformedCookieException(org.apache.http.cookie.MalformedCookieException) IOException(java.io.IOException) UsernamePasswordCredentials(org.apache.http.auth.UsernamePasswordCredentials) LDAPException(com.novell.ldap.LDAPException) HttpHost(org.apache.http.HttpHost) AuthScope(org.apache.http.auth.AuthScope) BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager) Credentials(org.apache.http.auth.Credentials) UsernamePasswordCredentials(org.apache.http.auth.UsernamePasswordCredentials)

Example 38 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class LDAPBasicAuth method doAuth.

public void doAuth(HttpServletRequest request, HttpSession session, String uidAttr, String userName, String password, MyVDConnection myvd, AuthChainType act, AuthMechType amt, AuthStep as, ConfigManager cfgMgr) throws LDAPException {
    String userDN = null;
    if (password == null || password.trim().length() == 0) {
        if (amt.getRequired().equals("required")) {
            as.setExecuted(true);
            as.setSuccess(false);
            return;
        }
    }
    LDAPSearchResults res = myvd.search(AuthUtil.getChainRoot(cfgMgr, act), 2, equal(uidAttr, userName).toString(), new ArrayList<String>());
    if (res.hasMore()) {
        LDAPEntry entry = res.next();
        userDN = entry.getDN();
        try {
            myvd.bind(entry.getDN(), password);
        } catch (LDAPException le) {
            request.setAttribute(ProxyConstants.AUTH_FAILED_USER_DN, userDN);
            throw le;
        }
        Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
        AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
        AuthController actl = (AuthController) session.getAttribute(ProxyConstants.AUTH_CTL);
        if (actl == null) {
            actl = new AuthController();
            session.setAttribute(ProxyConstants.AUTH_CTL, actl);
        }
        actl.setAuthInfo(authInfo);
        while (it.hasNext()) {
            LDAPAttribute attrib = it.next();
            Attribute attr = new Attribute(attrib.getName());
            String[] vals = attrib.getStringValueArray();
            for (int i = 0; i < vals.length; i++) {
                attr.getValues().add(vals[i]);
            }
            authInfo.getAttribs().put(attr.getName(), attr);
        }
        as.setExecuted(true);
        as.setSuccess(true);
    } else {
        request.setAttribute(ProxyConstants.AUTH_FAILED_USER_DN, userDN);
        as.setExecuted(true);
        as.setSuccess(false);
    }
}
Also used : LDAPAttribute(com.novell.ldap.LDAPAttribute) LDAPEntry(com.novell.ldap.LDAPEntry) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException) Attribute(com.tremolosecurity.saml.Attribute) LDAPAttribute(com.novell.ldap.LDAPAttribute) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Example 39 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class PersistentCookie method doWork.

private void doWork(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    as.setExecuted(true);
    MyVDConnection myvd = cfgMgr.getMyVD();
    // HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
    // SharedSession.getSharedSession().getSession(req.getSession().getId());
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    if (holder == null) {
        throw new ServletException("Holder is null");
    }
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    Attribute attr = authParams.get("cookieName");
    if (attr == null) {
        throw new ServletException("No cookie name specified");
    }
    String cookieName = attr.getValues().get(0);
    boolean useSSLSessionID;
    attr = authParams.get("useSSLSessionID");
    if (attr == null) {
        useSSLSessionID = false;
    } else {
        useSSLSessionID = attr.getValues().get(0).equalsIgnoreCase("true");
    }
    attr = authParams.get("millisToLive");
    if (attr == null) {
        throw new ServletException("No milliseconds to live specified");
    }
    long millisToLive = Long.parseLong(attr.getValues().get(0));
    attr = authParams.get("keyAlias");
    if (attr == null) {
        throw new ServletException("No key name specified");
    }
    String keyAlias = attr.getValues().get(0);
    Cookie authCookie = null;
    if (request.getCookies() == null) {
        as.setSuccess(false);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    for (Cookie cookie : request.getCookies()) {
        if (cookie.getName().equalsIgnoreCase(cookieName)) {
            authCookie = cookie;
            break;
        }
    }
    if (authCookie == null) {
        as.setSuccess(false);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    com.tremolosecurity.lastmile.LastMile lastmile = new com.tremolosecurity.lastmile.LastMile();
    SecretKey key = this.cfgMgr.getSecretKey(keyAlias);
    if (key == null) {
        throw new ServletException("Secret key '" + keyAlias + "' does not exist");
    }
    try {
        String cookieVal = authCookie.getValue();
        if (cookieVal.startsWith("\"")) {
            cookieVal = cookieVal.substring(1, cookieVal.length() - 1);
        }
        lastmile.loadLastMielToken(cookieVal, key);
    } catch (Exception e) {
        logger.warn("Could not decrypt cookie", e);
        as.setSuccess(false);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    if (!lastmile.isValid()) {
        logger.warn("Cookie no longer valid");
        as.setSuccess(false);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    boolean found = false;
    boolean validip = false;
    boolean validSslSessionId = !useSSLSessionID;
    String dn = null;
    for (Attribute attrib : lastmile.getAttributes()) {
        if (attrib.getName().equalsIgnoreCase("CLIENT_IP")) {
            validip = attrib.getValues().get(0).equals(request.getRemoteAddr());
        } else if (attrib.getName().equalsIgnoreCase("DN")) {
            dn = attrib.getValues().get(0);
        } else if (attrib.getName().equalsIgnoreCase("SSL_SESSION_ID")) {
            Object sessionID = request.getAttribute("javax.servlet.request.ssl_session_id");
            if (sessionID instanceof byte[]) {
                sessionID = new String(Base64.encodeBase64((byte[]) sessionID));
            }
            validSslSessionId = attrib.getValues().get(0).equals(sessionID);
        }
    }
    if (dn != null && validip && validSslSessionId) {
        try {
            LDAPSearchResults res = myvd.search(dn, 0, "(objectClass=*)", new ArrayList<String>());
            if (res.hasMore()) {
                LDAPEntry entry = res.next();
                Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
                AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
                ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
                while (it.hasNext()) {
                    LDAPAttribute ldapattr = it.next();
                    attr = new Attribute(ldapattr.getName());
                    String[] vals = ldapattr.getStringValueArray();
                    for (int i = 0; i < vals.length; i++) {
                        attr.getValues().add(vals[i]);
                    }
                    authInfo.getAttribs().put(attr.getName(), attr);
                }
                as.setSuccess(true);
            } else {
                as.setSuccess(false);
            }
        } catch (LDAPException e) {
            if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
                logger.error("Could not authenticate user", e);
            }
            as.setSuccess(false);
        }
    } else {
        as.setSuccess(false);
    }
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) LDAPEntry(com.novell.ldap.LDAPEntry) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection) Cookie(javax.servlet.http.Cookie) LDAPAttribute(com.novell.ldap.LDAPAttribute) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) HttpSession(javax.servlet.http.HttpSession) AuthController(com.tremolosecurity.proxy.auth.AuthController) LDAPException(com.novell.ldap.LDAPException) ServletException(javax.servlet.ServletException) IOException(java.io.IOException) SecretKey(javax.crypto.SecretKey) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException)

Example 40 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class ScaleMain method executeWorkflows.

private void executeWorkflows(HttpFilterRequest request, HttpFilterResponse response, Gson gson) throws Exception {
    Type listType = new TypeToken<ArrayList<WorkflowRequest>>() {
    }.getType();
    byte[] requestBytes = (byte[]) request.getAttribute(ProxySys.MSG_BODY);
    String requestString = new String(requestBytes, StandardCharsets.UTF_8);
    List<WorkflowRequest> reqs = gson.fromJson(requestString, listType);
    HashMap<String, String> results = new HashMap<String, String>();
    for (WorkflowRequest req : reqs) {
        if (req.getReason() == null || req.getReason().isEmpty()) {
            results.put(req.getUuid(), "Reason is required");
        } else {
            HashSet<String> allowedOrgs = new HashSet<String>();
            AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
            OrgType ot = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getOrg();
            AzSys az = new AzSys();
            this.checkOrg(allowedOrgs, ot, az, userData, request.getSession());
            String orgid = null;
            List<WorkflowType> wfs = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getWorkflows().getWorkflow();
            for (WorkflowType wf : wfs) {
                if (wf.getName().equals(req.getName())) {
                    orgid = wf.getOrgid();
                    break;
                }
            }
            if (orgid == null) {
                results.put(req.getUuid(), "Not Found");
            } else if (!allowedOrgs.contains(orgid)) {
                results.put(req.getUuid(), "Unauthorized");
            } else {
                WFCall wfCall = new WFCall();
                wfCall.setName(req.getName());
                String requestReason = req.getReason().trim();
                if (requestReason.length() > 255) {
                    logger.warn("Reason is oversized : " + requestReason.length());
                    requestReason = requestReason.substring(0, 255);
                }
                wfCall.setReason(requestReason);
                wfCall.setUidAttributeName(this.scaleConfig.getUidAttributeName());
                wfCall.setEncryptedParams(req.getEncryptedParams());
                TremoloUser tu = new TremoloUser();
                if (req.getSubjects() == null || req.getSubjects().isEmpty()) {
                    tu.setUid(userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0));
                    tu.getAttributes().add(new Attribute(this.scaleConfig.getUidAttributeName(), userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0)));
                    wfCall.setUser(tu);
                    try {
                        com.tremolosecurity.provisioning.workflow.ExecuteWorkflow exec = new com.tremolosecurity.provisioning.workflow.ExecuteWorkflow();
                        exec.execute(wfCall, GlobalEntries.getGlobalEntries().getConfigManager());
                        results.put(req.getUuid(), "success");
                    } catch (Exception e) {
                        logger.error("Could not update user", e);
                        results.put(req.getUuid(), "Error, please contact your system administrator");
                    }
                } else {
                    PreCheckResponse preCheckResp = new PreCheckResponse();
                    checkPreCheck(request, userData, allowedOrgs, req.getName(), orgid, preCheckResp);
                    StringBuffer errors = new StringBuffer();
                    if (preCheckResp.isCanDelegate()) {
                        for (String subject : req.getSubjects()) {
                            // execute for each subject
                            wfCall = new WFCall();
                            wfCall.setName(req.getName());
                            wfCall.setReason(req.getReason());
                            wfCall.setUidAttributeName(this.scaleConfig.getUidAttributeName());
                            wfCall.setEncryptedParams(req.getEncryptedParams());
                            wfCall.setRequestor(userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0));
                            tu = new TremoloUser();
                            wfCall.setUser(tu);
                            LDAPSearchResults searchRes = GlobalEntries.getGlobalEntries().getConfigManager().getMyVD().search(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot(), 2, equal(this.scaleConfig.getUidAttributeName(), subject).toString(), new ArrayList<String>());
                            if (searchRes.hasMore()) {
                                LDAPEntry entry = searchRes.next();
                                if (entry == null) {
                                    errors.append("Error, user " + subject + " does not exist;");
                                } else {
                                    startSubjectWorkflow(errors, req, wfCall, tu, subject, entry, preCheckResp);
                                }
                            } else {
                                errors.append("Error, user " + subject + " does not exist;");
                            }
                            while (searchRes.hasMore()) searchRes.next();
                        }
                        if (errors.length() == 0) {
                            results.put(req.getUuid(), "success");
                        } else {
                            results.put(req.getUuid(), errors.toString().substring(0, errors.toString().length() - 1));
                        }
                    } else {
                        results.put(req.getUuid(), "Unable to submit");
                        logger.warn("User '" + userData.getUserDN() + "' not allowed to request for others for '" + req.getName() + "'");
                    }
                }
            }
        }
    }
    ScaleJSUtils.addCacheHeaders(response);
    response.setContentType("application/json");
    response.getWriter().println(gson.toJson(results).trim());
}
Also used : HashMap(java.util.HashMap) Attribute(com.tremolosecurity.saml.Attribute) LDAPAttribute(com.novell.ldap.LDAPAttribute) ScaleAttribute(com.tremolosecurity.scalejs.cfg.ScaleAttribute) ArrayList(java.util.ArrayList) XSSFRichTextString(org.apache.poi.xssf.usermodel.XSSFRichTextString) RichTextString(org.apache.poi.ss.usermodel.RichTextString) LDAPEntry(com.novell.ldap.LDAPEntry) TremoloUser(com.tremolosecurity.provisioning.service.util.TremoloUser) HashSet(java.util.HashSet) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) WFCall(com.tremolosecurity.provisioning.service.util.WFCall) PreCheckResponse(com.tremolosecurity.scalejs.data.PreCheckResponse) AuthController(com.tremolosecurity.proxy.auth.AuthController) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) LDAPException(com.novell.ldap.LDAPException) SQLException(java.sql.SQLException) IOException(java.io.IOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) MalformedURLException(java.net.MalformedURLException) OrgType(com.tremolosecurity.config.xml.OrgType) ReportType(com.tremolosecurity.config.xml.ReportType) ReportsType(com.tremolosecurity.config.xml.ReportsType) PortalUrlsType(com.tremolosecurity.config.xml.PortalUrlsType) ApplicationType(com.tremolosecurity.config.xml.ApplicationType) Type(java.lang.reflect.Type) PortalUrlType(com.tremolosecurity.config.xml.PortalUrlType) ParamType(com.tremolosecurity.config.xml.ParamType) AzRuleType(com.tremolosecurity.config.xml.AzRuleType) WorkflowType(com.tremolosecurity.config.xml.WorkflowType) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) OrgType(com.tremolosecurity.config.xml.OrgType) WorkflowType(com.tremolosecurity.config.xml.WorkflowType) AzSys(com.tremolosecurity.proxy.auth.AzSys) WorkflowRequest(com.tremolosecurity.scalejs.data.WorkflowRequest)

Aggregations

AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)71 AuthController (com.tremolosecurity.proxy.auth.AuthController)59 Attribute (com.tremolosecurity.saml.Attribute)46 LDAPAttribute (com.novell.ldap.LDAPAttribute)27 IOException (java.io.IOException)25 ServletException (javax.servlet.ServletException)24 HttpSession (javax.servlet.http.HttpSession)23 Gson (com.google.gson.Gson)22 LDAPException (com.novell.ldap.LDAPException)22 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)22 LDAPEntry (com.novell.ldap.LDAPEntry)19 HashMap (java.util.HashMap)19 UrlHolder (com.tremolosecurity.config.util.UrlHolder)18 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)18 MalformedURLException (java.net.MalformedURLException)15 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)14 ArrayList (java.util.ArrayList)14 AzSys (com.tremolosecurity.proxy.auth.AzSys)12 UnsupportedEncodingException (java.io.UnsupportedEncodingException)11 HttpServletRequest (javax.servlet.http.HttpServletRequest)11