Search in sources :

Example 66 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class AmazonSimpleDBProvider method syncUser.

@Override
public void syncUser(User user, boolean addOnly, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
    User amazonUser = this.findUser(user.getAttribs().get(this.uidAttrName).getValues().get(0), attributes, request);
    if (amazonUser == null) {
        this.createUser(user, attributes, request);
        return;
    }
    int approvalID = 0;
    if (request.containsKey("APPROVAL_ID")) {
        approvalID = (Integer) request.get("APPROVAL_ID");
    }
    Workflow workflow = (Workflow) request.get("WORKFLOW");
    String userid = user.getAttribs().get(this.uidAttrName).getValues().get(0);
    Set<String> done = new HashSet<String>();
    Iterator<String> amazonAttrNames = amazonUser.getAttribs().keySet().iterator();
    while (amazonAttrNames.hasNext()) {
        String amznAttrName = amazonAttrNames.next();
        done.add(amznAttrName);
        Attribute userAttr = user.getAttribs().get(amznAttrName);
        if (userAttr == null) {
            if (addOnly) {
            // do nothing
            } else {
                ArrayList<com.amazonaws.services.simpledb.model.Attribute> list = new ArrayList<com.amazonaws.services.simpledb.model.Attribute>();
                list.add(new com.amazonaws.services.simpledb.model.Attribute(amznAttrName.toLowerCase(), null));
                sdb.deleteAttributes(new DeleteAttributesRequest(this.userDomain, amazonUser.getUserID(), list));
                boolean ok = false;
                while (!ok) {
                    try {
                        Thread.sleep(500);
                    } catch (InterruptedException e) {
                    }
                    StringBuffer select = new StringBuffer();
                    select.append("SELECT uid FROM `").append(this.userDomain).append("` WHERE uid='").append(userid).append("' AND ").append(amznAttrName).append(" IS NOT NULL");
                    SelectResult res = this.sdb.select(new SelectRequest(select.toString()));
                    ok = res.getItems().size() == 0;
                }
            }
        } else {
            Set<String> vals = new HashSet<String>();
            vals.addAll(userAttr.getValues());
            List<String> amznVals = amazonUser.getAttribs().get(amznAttrName).getValues();
            for (String val : amznVals) {
                if (vals.contains(val)) {
                    vals.remove(val);
                } else {
                    if (!addOnly) {
                        ArrayList<com.amazonaws.services.simpledb.model.Attribute> list = new ArrayList<com.amazonaws.services.simpledb.model.Attribute>();
                        list.add(new com.amazonaws.services.simpledb.model.Attribute(userAttr.getName().toLowerCase(), val));
                        sdb.deleteAttributes(new DeleteAttributesRequest(this.userDomain, amazonUser.getUserID(), list));
                        this.cfgMgr.getProvisioningEngine().logAction(this.name, false, ActionType.Delete, approvalID, workflow, userAttr.getName().toLowerCase(), val);
                        boolean ok = false;
                        while (!ok) {
                            try {
                                Thread.sleep(500);
                            } catch (InterruptedException e) {
                            }
                            StringBuffer select = new StringBuffer();
                            select.append("SELECT uid FROM `").append(this.userDomain).append("` WHERE uid='").append(userid).append("' AND ").append(userAttr.getName().toLowerCase()).append("='").append(val).append("'");
                            SelectResult res = this.sdb.select(new SelectRequest(select.toString()));
                            ok = res.getItems().size() == 0;
                        }
                    }
                }
            }
            if (vals.size() > 0) {
                ArrayList<com.amazonaws.services.simpledb.model.ReplaceableAttribute> list = new ArrayList<com.amazonaws.services.simpledb.model.ReplaceableAttribute>();
                Iterator<String> itv = vals.iterator();
                while (itv.hasNext()) {
                    String val = itv.next();
                    list.add(new com.amazonaws.services.simpledb.model.ReplaceableAttribute(userAttr.getName().toLowerCase(), val, false));
                }
                sdb.putAttributes(new PutAttributesRequest(this.userDomain, amazonUser.getUserID(), list));
                itv = vals.iterator();
                while (itv.hasNext()) {
                    String val = itv.next();
                    this.cfgMgr.getProvisioningEngine().logAction(this.name, false, ActionType.Replace, approvalID, workflow, userAttr.getName().toLowerCase(), val);
                }
                try {
                    Thread.sleep(1000);
                } catch (InterruptedException e) {
                }
            }
        }
        Iterator<String> itattr = user.getAttribs().keySet().iterator();
        while (itattr.hasNext()) {
            String name = itattr.next();
            if (attributes.contains(name) && !done.contains(name)) {
                ArrayList<com.amazonaws.services.simpledb.model.ReplaceableAttribute> list = new ArrayList<com.amazonaws.services.simpledb.model.ReplaceableAttribute>();
                for (String val : user.getAttribs().get(name).getValues()) {
                    list.add(new com.amazonaws.services.simpledb.model.ReplaceableAttribute(name.toLowerCase(), val, false));
                }
                sdb.putAttributes(new PutAttributesRequest(this.userDomain, amazonUser.getUserID(), list));
                for (String val : user.getAttribs().get(name).getValues()) {
                    this.cfgMgr.getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, name, val);
                }
                try {
                    Thread.sleep(1000);
                } catch (InterruptedException e) {
                }
            }
        }
        String select = this.getGroupSelect(amazonUser.getUserID());
        SelectResult res = this.sdb.select(new SelectRequest(select));
        done.clear();
        for (Item group : res.getItems()) {
            String name = group.getName();
            if (!user.getGroups().contains(name) && !addOnly) {
                ArrayList<com.amazonaws.services.simpledb.model.Attribute> list = new ArrayList<com.amazonaws.services.simpledb.model.Attribute>();
                list.add(new com.amazonaws.services.simpledb.model.Attribute(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getGroupMemberAttribute(), amazonUser.getUserID()));
                sdb.deleteAttributes(new DeleteAttributesRequest(this.groupDomain, name, list));
                this.cfgMgr.getProvisioningEngine().logAction(this.name, false, ActionType.Delete, approvalID, workflow, "group", name);
                try {
                    Thread.sleep(500);
                } catch (InterruptedException e) {
                }
            }
            done.add(name);
        }
        for (String groupName : user.getGroups()) {
            if (done.contains(groupName)) {
                continue;
            }
            ArrayList<com.amazonaws.services.simpledb.model.ReplaceableAttribute> list = new ArrayList<com.amazonaws.services.simpledb.model.ReplaceableAttribute>();
            list.add(new com.amazonaws.services.simpledb.model.ReplaceableAttribute(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getGroupMemberAttribute(), amazonUser.getUserID(), false));
            sdb.putAttributes(new PutAttributesRequest(this.groupDomain, groupName, list));
            this.cfgMgr.getProvisioningEngine().logAction(this.name, false, ActionType.Add, approvalID, workflow, "group", groupName);
        }
    }
}
Also used : User(com.tremolosecurity.provisioning.core.User) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) ReplaceableAttribute(com.amazonaws.services.simpledb.model.ReplaceableAttribute) ArrayList(java.util.ArrayList) ReplaceableAttribute(com.amazonaws.services.simpledb.model.ReplaceableAttribute) Item(com.amazonaws.services.simpledb.model.Item) DeleteAttributesRequest(com.amazonaws.services.simpledb.model.DeleteAttributesRequest) SelectRequest(com.amazonaws.services.simpledb.model.SelectRequest) HashSet(java.util.HashSet) Workflow(com.tremolosecurity.provisioning.core.Workflow) SelectResult(com.amazonaws.services.simpledb.model.SelectResult) PutAttributesRequest(com.amazonaws.services.simpledb.model.PutAttributesRequest) ReplaceableAttribute(com.amazonaws.services.simpledb.model.ReplaceableAttribute)

Example 67 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class CreateAWSRoleAttribute method doFilter.

@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
    AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    Attribute source = userData.getAttribs().get(this.sourceAttribute);
    if (source == null) {
        logger.warn("Source attribute not found");
    } else {
        StringBuffer role = new StringBuffer();
        Attribute roles = new Attribute("https://aws.amazon.com/SAML/Attributes/Role");
        for (String groupName : source.getValues()) {
            role.setLength(0);
            role.append("arn:aws:iam::").append(this.accountNumber).append(":role/").append(groupName).append(",arn:aws:iam::").append(this.accountNumber).append(":saml-provider/").append(this.idpName);
            roles.getValues().add(role.toString());
        }
        userData.getAttribs().put(roles.getName(), roles);
        chain.nextFilter(request, response, chain);
    }
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) Attribute(com.tremolosecurity.saml.Attribute) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Example 68 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class CreateAWSRoleAttribute method getAttribute.

private String getAttribute(String name, HttpFilterConfig config) throws Exception {
    Attribute attr = config.getAttribute(name);
    if (attr == null) {
        throw new Exception(name + " not configured");
    }
    logger.info(name + " - '" + attr.getValues().get(0) + "'");
    return attr.getValues().get(0);
}
Also used : Attribute(com.tremolosecurity.saml.Attribute)

Example 69 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class UserPrincipal method syncUser.

public void syncUser(User user, boolean addOnly, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
    UserPrincipal principal = new UserPrincipal(user.getUserID(), multiDomain, primaryDomain);
    User fromIPA = null;
    HttpCon con = null;
    try {
        con = this.createClient();
        try {
            fromIPA = this.findUser(user.getUserID(), attributes, request);
        } catch (IPAException ipaException) {
            if (ipaException.getCode() != 4001) {
                throw ipaException;
            }
        }
        int approvalID = 0;
        if (request.containsKey("APPROVAL_ID")) {
            approvalID = (Integer) request.get("APPROVAL_ID");
        }
        Workflow workflow = (Workflow) request.get("WORKFLOW");
        if (fromIPA == null) {
            if (principal.isPrimaryDomain()) {
                this.createUser(user, attributes, request);
            }
        } else {
            if (!principal.isPrimaryDomain() && request.get("freeipa.exists") != null && ((Boolean) request.get("freeipa.exists")) == false) {
                this.createUser(user, attributes, request);
                return;
            }
            // check to see if the attributes from the incoming object match
            for (String attrName : attributes) {
                if (attrName.equalsIgnoreCase("uid")) {
                    continue;
                }
                Attribute attrNew = checkAttribute(principal, user, fromIPA, con, approvalID, workflow, attrName, addOnly);
            }
            if (!addOnly) {
                for (String attrToDel : fromIPA.getAttribs().keySet()) {
                    if (!attrToDel.equalsIgnoreCase("uid")) {
                        // These attributes were no longer on the user, delete them
                        this.deleteAttribute(principal, attrToDel, con, approvalID, workflow);
                        this.cfgMgr.getProvisioningEngine().logAction(name, false, ActionType.Delete, approvalID, workflow, attrToDel, "");
                    }
                }
            }
            // }
            // check groups
            HashSet<String> curGroups = new HashSet<String>();
            curGroups.addAll(fromIPA.getGroups());
            for (String group : user.getGroups()) {
                if (curGroups.contains(group)) {
                    curGroups.remove(group);
                } else {
                    this.addGroup(principal, group, con, approvalID, workflow);
                }
            }
            if (!addOnly) {
                for (String group : curGroups) {
                    this.removeGroup(principal, group, con, approvalID, workflow);
                }
            }
            if (principal.isPrimaryDomain()) {
                if (this.createShadowAccount) {
                    String password = new BigInteger(130, random).toString(32);
                    password = PBKDF2.generateHash(password);
                    user.setPassword(password);
                    this.setUserPassword(user, request);
                }
            }
        }
    } catch (Exception e) {
        throw new ProvisioningException("Could not sync user", e);
    } finally {
        if (con != null) {
            con.getBcm().shutdown();
        }
    }
}
Also used : User(com.tremolosecurity.provisioning.core.User) Attribute(com.tremolosecurity.saml.Attribute) Workflow(com.tremolosecurity.provisioning.core.Workflow) ClientProtocolException(org.apache.http.client.ClientProtocolException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IOException(java.io.IOException) IPAException(com.tremolosecurity.unison.freeipa.util.IPAException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) IPAException(com.tremolosecurity.unison.freeipa.util.IPAException) HttpCon(com.tremolosecurity.provisioning.util.HttpCon) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) BigInteger(java.math.BigInteger) HashSet(java.util.HashSet)

Example 70 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class UserPrincipal method findUser.

private User findUser(String userID, Set<String> attributes, HttpCon con, Map<String, Object> request) throws IPAException, ClientProtocolException, IOException {
    UserPrincipal principal = new UserPrincipal(userID, multiDomain, primaryDomain);
    if (principal.isPrimaryDomain()) {
        IPACall userSearch = new IPACall();
        userSearch.setId(0);
        userSearch.setMethod("user_show");
        ArrayList<String> userArray = new ArrayList<String>();
        userArray.add(principal.getUid());
        userSearch.getParams().add(userArray);
        HashMap<String, String> additionalParams = new HashMap<String, String>();
        additionalParams.put("all", "true");
        additionalParams.put("rights", "true");
        userSearch.getParams().add(additionalParams);
        IPAResponse resp = this.executeIPACall(userSearch, con);
        User user = new User();
        user.setUserID(userID);
        Map<String, Object> results = (Map<String, Object>) resp.getResult().getResult();
        for (String attributeName : attributes) {
            if (attributeName.equalsIgnoreCase("uid")) {
                Attribute a = user.getAttribs().get(attributeName);
                if (a == null) {
                    a = new Attribute(attributeName);
                    user.getAttribs().put(attributeName, a);
                }
                StringBuilder s = new StringBuilder().append((String) ((List) results.get(attributeName)).get(0));
                if (this.multiDomain) {
                    s.append('@').append(principal.getDomain());
                }
                a.getValues().add(s.toString());
            } else {
                if (results.get(attributeName) != null) {
                    if (results.get(attributeName) instanceof List) {
                        Attribute a = user.getAttribs().get(attributeName);
                        if (a == null) {
                            a = new Attribute(attributeName);
                            user.getAttribs().put(attributeName, a);
                        }
                        List l = (List) results.get(attributeName);
                        for (Object o : l) {
                            a.getValues().add((String) o);
                        }
                    } else {
                        Attribute a = user.getAttribs().get(attributeName);
                        if (a == null) {
                            a = new Attribute(attributeName);
                            user.getAttribs().put(attributeName, a);
                        }
                        a.getValues().add((String) results.get(attributeName));
                    }
                }
            }
        }
        if (results != null && results.get("memberof_group") != null) {
            for (Object o : ((List) results.get("memberof_group"))) {
                String groupName = (String) o;
                user.getGroups().add(groupName);
            }
        }
        return user;
    } else {
        IPACall listGroups = new IPACall();
        listGroups.setId(0);
        listGroups.setMethod("group_find");
        ArrayList<String> userArray = new ArrayList<String>();
        userArray.add("");
        listGroups.getParams().add(userArray);
        HashMap<String, String> additionalParams = new HashMap<String, String>();
        additionalParams.put("pkey_only", "true");
        additionalParams.put("sizelimit", "0");
        listGroups.getParams().add(additionalParams);
        IPAResponse resp = this.executeIPACall(listGroups, con);
        List<Map> groups = (List<Map>) resp.getResult().getResult();
        List<IPACall> groupsToFind = new ArrayList<IPACall>();
        for (Map group : groups) {
            IPACall showGroup = new IPACall();
            showGroup.setId(0);
            showGroup.setMethod("group_show");
            ArrayList<String> groupName = new ArrayList<String>();
            groupName.add(((List) group.get("cn")).get(0).toString());
            showGroup.getParams().add(groupName);
            additionalParams = new HashMap<String, String>();
            additionalParams.put("no_members", "true");
            showGroup.getParams().add(additionalParams);
            groupsToFind.add(showGroup);
        }
        IPACall groupDetails = new IPACall();
        groupDetails.setId(0);
        groupDetails.setMethod("batch");
        groupDetails.getParams().add(groupsToFind);
        additionalParams = new HashMap<String, String>();
        groupDetails.getParams().add(additionalParams);
        IPABatchResponse batchResp = this.executeIPABatchCall(groupDetails, con);
        User user = new User();
        user.setUserID(userID);
        user.getAttribs().put("uid", new Attribute("uid", userID));
        if (batchResp.getResult() != null) {
            for (IPATopResult res : batchResp.getResult().getResults()) {
                String groupName = (String) res.getValue();
                if (((Map) res.getResult()).containsKey("ipaexternalmember")) {
                    List<String> vals = (List<String>) ((Map) res.getResult()).get("ipaexternalmember");
                    for (String val : vals) {
                        if (val.equalsIgnoreCase(userID)) {
                            user.getGroups().add(groupName);
                            break;
                        }
                    }
                }
            }
        }
        // call id_override
        IPACall idOveride = new IPACall();
        idOveride.setId(0);
        idOveride.setMethod("idoverrideuser_show");
        List<String> params = new ArrayList<String>();
        params.add(this.trustViewName);
        params.add(userID);
        idOveride.getParams().add(params);
        Map<String, Object> param2 = new HashMap<String, Object>();
        param2.put("all", true);
        param2.put("rights", false);
        idOveride.getParams().add(param2);
        resp = null;
        try {
            resp = this.executeIPACall(idOveride, con);
            Map<String, List<String>> attrFromIpa = (Map<String, List<String>>) resp.getResult().getResult();
            for (String attrName : attrFromIpa.keySet()) {
                if (attributes.contains(attrName)) {
                    Attribute attrToAdd = new Attribute(attrName);
                    attrToAdd.getValues().addAll(attrFromIpa.get(attrName));
                    user.getAttribs().put(attrName, attrToAdd);
                }
            }
        } catch (IPAException e) {
            if (!e.getMessage().contains("User ID override not found")) {
                throw e;
            } else {
                request.put("freeipa.exists", false);
            }
        }
        return user;
    }
}
Also used : IPAResponse(com.tremolosecurity.unison.freeipa.json.IPAResponse) User(com.tremolosecurity.provisioning.core.User) HashMap(java.util.HashMap) Attribute(com.tremolosecurity.saml.Attribute) IPACall(com.tremolosecurity.unison.freeipa.json.IPACall) ArrayList(java.util.ArrayList) IPATopResult(com.tremolosecurity.unison.freeipa.json.IPATopResult) IPAException(com.tremolosecurity.unison.freeipa.util.IPAException) IPABatchResponse(com.tremolosecurity.unison.freeipa.json.IPABatchResponse) ArrayList(java.util.ArrayList) List(java.util.List) HashMap(java.util.HashMap) Map(java.util.Map)

Aggregations

Attribute (com.tremolosecurity.saml.Attribute)268 LDAPAttribute (com.novell.ldap.LDAPAttribute)90 HashMap (java.util.HashMap)89 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)87 IOException (java.io.IOException)69 ArrayList (java.util.ArrayList)53 LDAPException (com.novell.ldap.LDAPException)51 ServletException (javax.servlet.ServletException)48 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)46 AuthController (com.tremolosecurity.proxy.auth.AuthController)45 LDAPEntry (com.novell.ldap.LDAPEntry)43 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)43 HttpSession (javax.servlet.http.HttpSession)40 Gson (com.google.gson.Gson)35 User (com.tremolosecurity.provisioning.core.User)33 HttpServletRequest (javax.servlet.http.HttpServletRequest)33 UrlHolder (com.tremolosecurity.config.util.UrlHolder)31 UnsupportedEncodingException (java.io.UnsupportedEncodingException)30 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)28 HashSet (java.util.HashSet)26