use of com.tremolosecurity.scalejs.data.PreCheckResponse in project OpenUnison by TremoloSecurity.
the class ScaleMain method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
Gson gson = new Gson();
request.getServletRequest().setAttribute("com.tremolosecurity.unison.proxy.noRedirectOnError", "com.tremolosecurity.unison.proxy.noRedirectOnError");
try {
if (request.getRequestURI().endsWith("/main/config")) {
if (scaleConfig.getUiDecisions() != null) {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
Set<String> allowedAttrs = this.scaleConfig.getUiDecisions().availableAttributes(userData, request.getServletRequest());
ScaleConfig local = new ScaleConfig(this.scaleConfig);
if (allowedAttrs != null) {
for (String attrName : this.scaleConfig.getAttributes().keySet()) {
if (!allowedAttrs.contains(attrName)) {
local.getAttributes().remove(attrName);
}
}
}
local.setCanEditUser(this.scaleConfig.getUiDecisions().canEditUser(userData, request.getServletRequest()));
ScaleJSUtils.addCacheHeaders(response);
response.setContentType("application/json");
response.getWriter().println(gson.toJson(local).trim());
} else {
ScaleJSUtils.addCacheHeaders(response);
response.setContentType("application/json");
response.getWriter().println(gson.toJson(scaleConfig).trim());
}
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().endsWith("/main/user")) {
lookupUser(request, response, gson);
} else if (request.getMethod().equalsIgnoreCase("PUT") && request.getRequestURI().endsWith("/main/user")) {
saveUser(request, response, gson);
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().endsWith("/main/orgs")) {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
AzSys az = new AzSys();
OrgType ot = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getOrg();
Organization org = new Organization();
copyOrg(org, ot, az, userData);
ScaleJSUtils.addCacheHeaders(response);
response.setContentType("application/json");
response.getWriter().println(gson.toJson(org).trim());
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/workflows/org/")) {
loadWorkflows(request, response, gson);
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/workflows/candelegate")) {
try {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
OrgType ot = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getOrg();
AzSys az = new AzSys();
HashSet<String> allowedOrgs = new HashSet<String>();
this.checkOrg(allowedOrgs, ot, az, userData, request.getSession());
String workflowName = request.getParameter("workflowName").getValues().get(0);
// need to check org
String orgid = null;
for (WorkflowType wf : GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getWorkflows().getWorkflow()) {
if (wf.getName().equals(workflowName)) {
orgid = wf.getOrgid();
break;
}
}
PreCheckResponse preCheckResp = new PreCheckResponse();
if (request.getParameter("uuid") != null) {
preCheckResp.setUuid(request.getParameter("uuid").getValues().get(0));
}
checkPreCheck(request, userData, allowedOrgs, workflowName, orgid, preCheckResp);
ScaleJSUtils.addCacheHeaders(response);
response.getWriter().print(gson.toJson(preCheckResp).trim());
response.getWriter().flush();
} catch (Throwable t) {
logger.error("Could not check for preapproval status", t);
response.setStatus(500);
response.setContentType("application/json");
ScaleJSUtils.addCacheHeaders(response);
ScaleError error = new ScaleError();
error.getErrors().add("Unable to check");
response.getWriter().print(gson.toJson(error).trim());
response.getWriter().flush();
}
} else if (request.getMethod().equalsIgnoreCase("PUT") && request.getRequestURI().endsWith("/main/workflows")) {
executeWorkflows(request, response, gson);
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().endsWith("/main/approvals")) {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
String uid = userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0);
response.setContentType("application/json");
ScaleJSUtils.addCacheHeaders(response);
response.getWriter().println(gson.toJson(ServiceActions.listOpenApprovals(uid, this.scaleConfig.getDisplayNameAttribute(), GlobalEntries.getGlobalEntries().getConfigManager())).trim());
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/approvals/")) {
loadApproval(request, response, gson);
} else if (request.getMethod().equalsIgnoreCase("PUT") && request.getRequestURI().contains("/main/approvals/")) {
int approvalID = Integer.parseInt(request.getRequestURI().substring(request.getRequestURI().lastIndexOf('/') + 1));
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
String uid = userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0);
boolean ok = false;
ApprovalSummaries summaries = ServiceActions.listOpenApprovals(uid, this.scaleConfig.getDisplayNameAttribute(), GlobalEntries.getGlobalEntries().getConfigManager());
for (ApprovalSummary as : summaries.getApprovals()) {
if (as.getApproval() == approvalID) {
ok = true;
}
}
if (!ok) {
response.setStatus(401);
response.setContentType("application/json");
ScaleJSUtils.addCacheHeaders(response);
ScaleError error = new ScaleError();
error.getErrors().add("Unauthorized");
response.getWriter().print(gson.toJson(error).trim());
response.getWriter().flush();
} else {
ScaleApprovalData approvalData = gson.fromJson(new String((byte[]) request.getAttribute(ProxySys.MSG_BODY)), ScaleApprovalData.class);
try {
String approval = approvalData.getReason().trim();
if (approval.length() > 255) {
logger.warn("approval justification greater then 255 characters");
approval = approval.substring(0, 255);
}
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().doApproval(approvalID, uid, approvalData.isApproved(), approval);
} catch (Exception e) {
logger.error("Could not execute approval", e);
response.setStatus(500);
ScaleError error = new ScaleError();
error.getErrors().add("There was a problem completeding your request, please contact your system administrator");
ScaleJSUtils.addCacheHeaders(response);
response.getWriter().print(gson.toJson(error).trim());
response.getWriter().flush();
}
}
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/reports/org/")) {
loadReports(request, response, gson);
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/reports/excel/")) {
exportToExcel(request, response, gson);
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/reports/")) {
runReport(request, response, gson);
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().endsWith("/main/urls")) {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
AzSys az = new AzSys();
PortalUrlsType pt = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getPortal();
PortalURLs urls = new PortalURLs();
if (pt != null && pt.getUrls() != null) {
for (PortalUrlType url : pt.getUrls()) {
if (url.getAzRules() != null && url.getAzRules().getRule().size() > 0) {
ArrayList<AzRule> rules = new ArrayList<AzRule>();
for (AzRuleType art : url.getAzRules().getRule()) {
rules.add(new AzRule(art.getScope(), art.getConstraint(), art.getClassName(), GlobalEntries.getGlobalEntries().getConfigManager(), null));
}
if (!az.checkRules(userData, GlobalEntries.getGlobalEntries().getConfigManager(), rules, request.getSession(), this.appType, new HashMap<String, Object>())) {
continue;
}
}
PortalURL purl = new PortalURL();
purl.setName(url.getName());
purl.setLabel(url.getLabel());
purl.setOrg(url.getOrg());
purl.setUrl(url.getUrl());
purl.setIcon(url.getIcon());
urls.getUrls().add(purl);
}
}
ScaleJSUtils.addCacheHeaders(response);
response.getWriter().print(gson.toJson(urls.getUrls()).trim());
response.getWriter().flush();
} else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/urls/org")) {
String id = URLDecoder.decode(request.getRequestURI().substring(request.getRequestURI().lastIndexOf('/') + 1), "UTF-8");
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
AzSys az = new AzSys();
PortalUrlsType pt = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getPortal();
PortalURLs urls = new PortalURLs();
for (PortalUrlType url : pt.getUrls()) {
if (url.getOrg().equalsIgnoreCase(id)) {
if (url.getAzRules() != null && url.getAzRules().getRule().size() > 0) {
ArrayList<AzRule> rules = new ArrayList<AzRule>();
for (AzRuleType art : url.getAzRules().getRule()) {
rules.add(new AzRule(art.getScope(), art.getConstraint(), art.getClassName(), GlobalEntries.getGlobalEntries().getConfigManager(), null));
}
if (!az.checkRules(userData, GlobalEntries.getGlobalEntries().getConfigManager(), rules, request.getSession(), this.appType, new HashMap<String, Object>())) {
continue;
}
}
PortalURL purl = new PortalURL();
purl.setName(url.getName());
purl.setLabel(url.getLabel());
purl.setOrg(url.getOrg());
purl.setUrl(url.getUrl());
purl.setIcon(url.getIcon());
urls.getUrls().add(purl);
}
}
ScaleJSUtils.addCacheHeaders(response);
response.getWriter().print(gson.toJson(urls.getUrls()).trim());
response.getWriter().flush();
} else {
response.setStatus(500);
ScaleError error = new ScaleError();
error.getErrors().add("Operation not supported");
ScaleJSUtils.addCacheHeaders(response);
response.getWriter().print(gson.toJson(error).trim());
response.getWriter().flush();
}
} catch (Throwable t) {
logger.error("Could not execute request", t);
response.setStatus(500);
ScaleError error = new ScaleError();
error.getErrors().add("Operation not supported");
ScaleJSUtils.addCacheHeaders(response);
response.getWriter().print(gson.toJson(error).trim());
response.getWriter().flush();
}
}
use of com.tremolosecurity.scalejs.data.PreCheckResponse in project OpenUnison by TremoloSecurity.
the class ScaleMain method executeWorkflows.
private void executeWorkflows(HttpFilterRequest request, HttpFilterResponse response, Gson gson) throws Exception {
Type listType = new TypeToken<ArrayList<WorkflowRequest>>() {
}.getType();
byte[] requestBytes = (byte[]) request.getAttribute(ProxySys.MSG_BODY);
String requestString = new String(requestBytes, StandardCharsets.UTF_8);
List<WorkflowRequest> reqs = gson.fromJson(requestString, listType);
HashMap<String, String> results = new HashMap<String, String>();
for (WorkflowRequest req : reqs) {
if (req.getReason() == null || req.getReason().isEmpty()) {
results.put(req.getUuid(), "Reason is required");
} else {
HashSet<String> allowedOrgs = new HashSet<String>();
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
OrgType ot = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getOrg();
AzSys az = new AzSys();
this.checkOrg(allowedOrgs, ot, az, userData, request.getSession());
String orgid = null;
List<WorkflowType> wfs = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getWorkflows().getWorkflow();
for (WorkflowType wf : wfs) {
if (wf.getName().equals(req.getName())) {
orgid = wf.getOrgid();
break;
}
}
if (orgid == null) {
results.put(req.getUuid(), "Not Found");
} else if (!allowedOrgs.contains(orgid)) {
results.put(req.getUuid(), "Unauthorized");
} else {
WFCall wfCall = new WFCall();
wfCall.setName(req.getName());
String requestReason = req.getReason().trim();
if (requestReason.length() > 255) {
logger.warn("Reason is oversized : " + requestReason.length());
requestReason = requestReason.substring(0, 255);
}
wfCall.setReason(requestReason);
wfCall.setUidAttributeName(this.scaleConfig.getUidAttributeName());
wfCall.setEncryptedParams(req.getEncryptedParams());
TremoloUser tu = new TremoloUser();
if (req.getSubjects() == null || req.getSubjects().isEmpty()) {
tu.setUid(userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0));
tu.getAttributes().add(new Attribute(this.scaleConfig.getUidAttributeName(), userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0)));
wfCall.setUser(tu);
try {
com.tremolosecurity.provisioning.workflow.ExecuteWorkflow exec = new com.tremolosecurity.provisioning.workflow.ExecuteWorkflow();
exec.execute(wfCall, GlobalEntries.getGlobalEntries().getConfigManager());
results.put(req.getUuid(), "success");
} catch (Exception e) {
logger.error("Could not update user", e);
results.put(req.getUuid(), "Error, please contact your system administrator");
}
} else {
PreCheckResponse preCheckResp = new PreCheckResponse();
checkPreCheck(request, userData, allowedOrgs, req.getName(), orgid, preCheckResp);
StringBuffer errors = new StringBuffer();
if (preCheckResp.isCanDelegate()) {
for (String subject : req.getSubjects()) {
// execute for each subject
wfCall = new WFCall();
wfCall.setName(req.getName());
wfCall.setReason(req.getReason());
wfCall.setUidAttributeName(this.scaleConfig.getUidAttributeName());
wfCall.setEncryptedParams(req.getEncryptedParams());
wfCall.setRequestor(userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0));
tu = new TremoloUser();
wfCall.setUser(tu);
LDAPSearchResults searchRes = GlobalEntries.getGlobalEntries().getConfigManager().getMyVD().search(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot(), 2, equal(this.scaleConfig.getUidAttributeName(), subject).toString(), new ArrayList<String>());
if (searchRes.hasMore()) {
LDAPEntry entry = searchRes.next();
if (entry == null) {
errors.append("Error, user " + subject + " does not exist;");
} else {
startSubjectWorkflow(errors, req, wfCall, tu, subject, entry, preCheckResp);
}
} else {
errors.append("Error, user " + subject + " does not exist;");
}
while (searchRes.hasMore()) searchRes.next();
}
if (errors.length() == 0) {
results.put(req.getUuid(), "success");
} else {
results.put(req.getUuid(), errors.toString().substring(0, errors.toString().length() - 1));
}
} else {
results.put(req.getUuid(), "Unable to submit");
logger.warn("User '" + userData.getUserDN() + "' not allowed to request for others for '" + req.getName() + "'");
}
}
}
}
}
ScaleJSUtils.addCacheHeaders(response);
response.setContentType("application/json");
response.getWriter().println(gson.toJson(results).trim());
}
Aggregations