Search in sources :

Example 1 with PreCheckResponse

use of com.tremolosecurity.scalejs.data.PreCheckResponse in project OpenUnison by TremoloSecurity.

the class ScaleMain method doFilter.

@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
    Gson gson = new Gson();
    request.getServletRequest().setAttribute("com.tremolosecurity.unison.proxy.noRedirectOnError", "com.tremolosecurity.unison.proxy.noRedirectOnError");
    try {
        if (request.getRequestURI().endsWith("/main/config")) {
            if (scaleConfig.getUiDecisions() != null) {
                AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
                Set<String> allowedAttrs = this.scaleConfig.getUiDecisions().availableAttributes(userData, request.getServletRequest());
                ScaleConfig local = new ScaleConfig(this.scaleConfig);
                if (allowedAttrs != null) {
                    for (String attrName : this.scaleConfig.getAttributes().keySet()) {
                        if (!allowedAttrs.contains(attrName)) {
                            local.getAttributes().remove(attrName);
                        }
                    }
                }
                local.setCanEditUser(this.scaleConfig.getUiDecisions().canEditUser(userData, request.getServletRequest()));
                ScaleJSUtils.addCacheHeaders(response);
                response.setContentType("application/json");
                response.getWriter().println(gson.toJson(local).trim());
            } else {
                ScaleJSUtils.addCacheHeaders(response);
                response.setContentType("application/json");
                response.getWriter().println(gson.toJson(scaleConfig).trim());
            }
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().endsWith("/main/user")) {
            lookupUser(request, response, gson);
        } else if (request.getMethod().equalsIgnoreCase("PUT") && request.getRequestURI().endsWith("/main/user")) {
            saveUser(request, response, gson);
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().endsWith("/main/orgs")) {
            AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
            AzSys az = new AzSys();
            OrgType ot = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getOrg();
            Organization org = new Organization();
            copyOrg(org, ot, az, userData);
            ScaleJSUtils.addCacheHeaders(response);
            response.setContentType("application/json");
            response.getWriter().println(gson.toJson(org).trim());
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/workflows/org/")) {
            loadWorkflows(request, response, gson);
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/workflows/candelegate")) {
            try {
                AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
                OrgType ot = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getOrg();
                AzSys az = new AzSys();
                HashSet<String> allowedOrgs = new HashSet<String>();
                this.checkOrg(allowedOrgs, ot, az, userData, request.getSession());
                String workflowName = request.getParameter("workflowName").getValues().get(0);
                // need to check org
                String orgid = null;
                for (WorkflowType wf : GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getWorkflows().getWorkflow()) {
                    if (wf.getName().equals(workflowName)) {
                        orgid = wf.getOrgid();
                        break;
                    }
                }
                PreCheckResponse preCheckResp = new PreCheckResponse();
                if (request.getParameter("uuid") != null) {
                    preCheckResp.setUuid(request.getParameter("uuid").getValues().get(0));
                }
                checkPreCheck(request, userData, allowedOrgs, workflowName, orgid, preCheckResp);
                ScaleJSUtils.addCacheHeaders(response);
                response.getWriter().print(gson.toJson(preCheckResp).trim());
                response.getWriter().flush();
            } catch (Throwable t) {
                logger.error("Could not check for preapproval status", t);
                response.setStatus(500);
                response.setContentType("application/json");
                ScaleJSUtils.addCacheHeaders(response);
                ScaleError error = new ScaleError();
                error.getErrors().add("Unable to check");
                response.getWriter().print(gson.toJson(error).trim());
                response.getWriter().flush();
            }
        } else if (request.getMethod().equalsIgnoreCase("PUT") && request.getRequestURI().endsWith("/main/workflows")) {
            executeWorkflows(request, response, gson);
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().endsWith("/main/approvals")) {
            AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
            String uid = userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0);
            response.setContentType("application/json");
            ScaleJSUtils.addCacheHeaders(response);
            response.getWriter().println(gson.toJson(ServiceActions.listOpenApprovals(uid, this.scaleConfig.getDisplayNameAttribute(), GlobalEntries.getGlobalEntries().getConfigManager())).trim());
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/approvals/")) {
            loadApproval(request, response, gson);
        } else if (request.getMethod().equalsIgnoreCase("PUT") && request.getRequestURI().contains("/main/approvals/")) {
            int approvalID = Integer.parseInt(request.getRequestURI().substring(request.getRequestURI().lastIndexOf('/') + 1));
            AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
            String uid = userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0);
            boolean ok = false;
            ApprovalSummaries summaries = ServiceActions.listOpenApprovals(uid, this.scaleConfig.getDisplayNameAttribute(), GlobalEntries.getGlobalEntries().getConfigManager());
            for (ApprovalSummary as : summaries.getApprovals()) {
                if (as.getApproval() == approvalID) {
                    ok = true;
                }
            }
            if (!ok) {
                response.setStatus(401);
                response.setContentType("application/json");
                ScaleJSUtils.addCacheHeaders(response);
                ScaleError error = new ScaleError();
                error.getErrors().add("Unauthorized");
                response.getWriter().print(gson.toJson(error).trim());
                response.getWriter().flush();
            } else {
                ScaleApprovalData approvalData = gson.fromJson(new String((byte[]) request.getAttribute(ProxySys.MSG_BODY)), ScaleApprovalData.class);
                try {
                    String approval = approvalData.getReason().trim();
                    if (approval.length() > 255) {
                        logger.warn("approval justification greater then 255 characters");
                        approval = approval.substring(0, 255);
                    }
                    GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().doApproval(approvalID, uid, approvalData.isApproved(), approval);
                } catch (Exception e) {
                    logger.error("Could not execute approval", e);
                    response.setStatus(500);
                    ScaleError error = new ScaleError();
                    error.getErrors().add("There was a problem completeding your request, please contact your system administrator");
                    ScaleJSUtils.addCacheHeaders(response);
                    response.getWriter().print(gson.toJson(error).trim());
                    response.getWriter().flush();
                }
            }
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/reports/org/")) {
            loadReports(request, response, gson);
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/reports/excel/")) {
            exportToExcel(request, response, gson);
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/reports/")) {
            runReport(request, response, gson);
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().endsWith("/main/urls")) {
            AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
            AzSys az = new AzSys();
            PortalUrlsType pt = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getPortal();
            PortalURLs urls = new PortalURLs();
            if (pt != null && pt.getUrls() != null) {
                for (PortalUrlType url : pt.getUrls()) {
                    if (url.getAzRules() != null && url.getAzRules().getRule().size() > 0) {
                        ArrayList<AzRule> rules = new ArrayList<AzRule>();
                        for (AzRuleType art : url.getAzRules().getRule()) {
                            rules.add(new AzRule(art.getScope(), art.getConstraint(), art.getClassName(), GlobalEntries.getGlobalEntries().getConfigManager(), null));
                        }
                        if (!az.checkRules(userData, GlobalEntries.getGlobalEntries().getConfigManager(), rules, request.getSession(), this.appType, new HashMap<String, Object>())) {
                            continue;
                        }
                    }
                    PortalURL purl = new PortalURL();
                    purl.setName(url.getName());
                    purl.setLabel(url.getLabel());
                    purl.setOrg(url.getOrg());
                    purl.setUrl(url.getUrl());
                    purl.setIcon(url.getIcon());
                    urls.getUrls().add(purl);
                }
            }
            ScaleJSUtils.addCacheHeaders(response);
            response.getWriter().print(gson.toJson(urls.getUrls()).trim());
            response.getWriter().flush();
        } else if (request.getMethod().equalsIgnoreCase("GET") && request.getRequestURI().contains("/main/urls/org")) {
            String id = URLDecoder.decode(request.getRequestURI().substring(request.getRequestURI().lastIndexOf('/') + 1), "UTF-8");
            AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
            AzSys az = new AzSys();
            PortalUrlsType pt = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getPortal();
            PortalURLs urls = new PortalURLs();
            for (PortalUrlType url : pt.getUrls()) {
                if (url.getOrg().equalsIgnoreCase(id)) {
                    if (url.getAzRules() != null && url.getAzRules().getRule().size() > 0) {
                        ArrayList<AzRule> rules = new ArrayList<AzRule>();
                        for (AzRuleType art : url.getAzRules().getRule()) {
                            rules.add(new AzRule(art.getScope(), art.getConstraint(), art.getClassName(), GlobalEntries.getGlobalEntries().getConfigManager(), null));
                        }
                        if (!az.checkRules(userData, GlobalEntries.getGlobalEntries().getConfigManager(), rules, request.getSession(), this.appType, new HashMap<String, Object>())) {
                            continue;
                        }
                    }
                    PortalURL purl = new PortalURL();
                    purl.setName(url.getName());
                    purl.setLabel(url.getLabel());
                    purl.setOrg(url.getOrg());
                    purl.setUrl(url.getUrl());
                    purl.setIcon(url.getIcon());
                    urls.getUrls().add(purl);
                }
            }
            ScaleJSUtils.addCacheHeaders(response);
            response.getWriter().print(gson.toJson(urls.getUrls()).trim());
            response.getWriter().flush();
        } else {
            response.setStatus(500);
            ScaleError error = new ScaleError();
            error.getErrors().add("Operation not supported");
            ScaleJSUtils.addCacheHeaders(response);
            response.getWriter().print(gson.toJson(error).trim());
            response.getWriter().flush();
        }
    } catch (Throwable t) {
        logger.error("Could not execute request", t);
        response.setStatus(500);
        ScaleError error = new ScaleError();
        error.getErrors().add("Operation not supported");
        ScaleJSUtils.addCacheHeaders(response);
        response.getWriter().print(gson.toJson(error).trim());
        response.getWriter().flush();
    }
}
Also used : Organization(com.tremolosecurity.provisioning.service.util.Organization) PortalUrlType(com.tremolosecurity.config.xml.PortalUrlType) PortalURL(com.tremolosecurity.provisioning.service.util.PortalURL) HashMap(java.util.HashMap) PortalURLs(com.tremolosecurity.provisioning.service.util.PortalURLs) ArrayList(java.util.ArrayList) Gson(com.google.gson.Gson) PortalUrlsType(com.tremolosecurity.config.xml.PortalUrlsType) XSSFRichTextString(org.apache.poi.xssf.usermodel.XSSFRichTextString) RichTextString(org.apache.poi.ss.usermodel.RichTextString) AzRuleType(com.tremolosecurity.config.xml.AzRuleType) ApprovalSummaries(com.tremolosecurity.provisioning.service.util.ApprovalSummaries) HashSet(java.util.HashSet) ApprovalSummary(com.tremolosecurity.provisioning.service.util.ApprovalSummary) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) PreCheckResponse(com.tremolosecurity.scalejs.data.PreCheckResponse) ScaleApprovalData(com.tremolosecurity.scalejs.data.ScaleApprovalData) ScaleError(com.tremolosecurity.scalejs.data.ScaleError) AuthController(com.tremolosecurity.proxy.auth.AuthController) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) LDAPException(com.novell.ldap.LDAPException) SQLException(java.sql.SQLException) IOException(java.io.IOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) MalformedURLException(java.net.MalformedURLException) OrgType(com.tremolosecurity.config.xml.OrgType) WorkflowType(com.tremolosecurity.config.xml.WorkflowType) AzSys(com.tremolosecurity.proxy.auth.AzSys) JsonObject(com.google.gson.JsonObject) AzRule(com.tremolosecurity.proxy.az.AzRule) ScaleConfig(com.tremolosecurity.scalejs.cfg.ScaleConfig)

Example 2 with PreCheckResponse

use of com.tremolosecurity.scalejs.data.PreCheckResponse in project OpenUnison by TremoloSecurity.

the class ScaleMain method executeWorkflows.

private void executeWorkflows(HttpFilterRequest request, HttpFilterResponse response, Gson gson) throws Exception {
    Type listType = new TypeToken<ArrayList<WorkflowRequest>>() {
    }.getType();
    byte[] requestBytes = (byte[]) request.getAttribute(ProxySys.MSG_BODY);
    String requestString = new String(requestBytes, StandardCharsets.UTF_8);
    List<WorkflowRequest> reqs = gson.fromJson(requestString, listType);
    HashMap<String, String> results = new HashMap<String, String>();
    for (WorkflowRequest req : reqs) {
        if (req.getReason() == null || req.getReason().isEmpty()) {
            results.put(req.getUuid(), "Reason is required");
        } else {
            HashSet<String> allowedOrgs = new HashSet<String>();
            AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
            OrgType ot = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getOrg();
            AzSys az = new AzSys();
            this.checkOrg(allowedOrgs, ot, az, userData, request.getSession());
            String orgid = null;
            List<WorkflowType> wfs = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getProvisioning().getWorkflows().getWorkflow();
            for (WorkflowType wf : wfs) {
                if (wf.getName().equals(req.getName())) {
                    orgid = wf.getOrgid();
                    break;
                }
            }
            if (orgid == null) {
                results.put(req.getUuid(), "Not Found");
            } else if (!allowedOrgs.contains(orgid)) {
                results.put(req.getUuid(), "Unauthorized");
            } else {
                WFCall wfCall = new WFCall();
                wfCall.setName(req.getName());
                String requestReason = req.getReason().trim();
                if (requestReason.length() > 255) {
                    logger.warn("Reason is oversized : " + requestReason.length());
                    requestReason = requestReason.substring(0, 255);
                }
                wfCall.setReason(requestReason);
                wfCall.setUidAttributeName(this.scaleConfig.getUidAttributeName());
                wfCall.setEncryptedParams(req.getEncryptedParams());
                TremoloUser tu = new TremoloUser();
                if (req.getSubjects() == null || req.getSubjects().isEmpty()) {
                    tu.setUid(userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0));
                    tu.getAttributes().add(new Attribute(this.scaleConfig.getUidAttributeName(), userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0)));
                    wfCall.setUser(tu);
                    try {
                        com.tremolosecurity.provisioning.workflow.ExecuteWorkflow exec = new com.tremolosecurity.provisioning.workflow.ExecuteWorkflow();
                        exec.execute(wfCall, GlobalEntries.getGlobalEntries().getConfigManager());
                        results.put(req.getUuid(), "success");
                    } catch (Exception e) {
                        logger.error("Could not update user", e);
                        results.put(req.getUuid(), "Error, please contact your system administrator");
                    }
                } else {
                    PreCheckResponse preCheckResp = new PreCheckResponse();
                    checkPreCheck(request, userData, allowedOrgs, req.getName(), orgid, preCheckResp);
                    StringBuffer errors = new StringBuffer();
                    if (preCheckResp.isCanDelegate()) {
                        for (String subject : req.getSubjects()) {
                            // execute for each subject
                            wfCall = new WFCall();
                            wfCall.setName(req.getName());
                            wfCall.setReason(req.getReason());
                            wfCall.setUidAttributeName(this.scaleConfig.getUidAttributeName());
                            wfCall.setEncryptedParams(req.getEncryptedParams());
                            wfCall.setRequestor(userData.getAttribs().get(this.scaleConfig.getUidAttributeName()).getValues().get(0));
                            tu = new TremoloUser();
                            wfCall.setUser(tu);
                            LDAPSearchResults searchRes = GlobalEntries.getGlobalEntries().getConfigManager().getMyVD().search(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot(), 2, equal(this.scaleConfig.getUidAttributeName(), subject).toString(), new ArrayList<String>());
                            if (searchRes.hasMore()) {
                                LDAPEntry entry = searchRes.next();
                                if (entry == null) {
                                    errors.append("Error, user " + subject + " does not exist;");
                                } else {
                                    startSubjectWorkflow(errors, req, wfCall, tu, subject, entry, preCheckResp);
                                }
                            } else {
                                errors.append("Error, user " + subject + " does not exist;");
                            }
                            while (searchRes.hasMore()) searchRes.next();
                        }
                        if (errors.length() == 0) {
                            results.put(req.getUuid(), "success");
                        } else {
                            results.put(req.getUuid(), errors.toString().substring(0, errors.toString().length() - 1));
                        }
                    } else {
                        results.put(req.getUuid(), "Unable to submit");
                        logger.warn("User '" + userData.getUserDN() + "' not allowed to request for others for '" + req.getName() + "'");
                    }
                }
            }
        }
    }
    ScaleJSUtils.addCacheHeaders(response);
    response.setContentType("application/json");
    response.getWriter().println(gson.toJson(results).trim());
}
Also used : HashMap(java.util.HashMap) Attribute(com.tremolosecurity.saml.Attribute) LDAPAttribute(com.novell.ldap.LDAPAttribute) ScaleAttribute(com.tremolosecurity.scalejs.cfg.ScaleAttribute) ArrayList(java.util.ArrayList) XSSFRichTextString(org.apache.poi.xssf.usermodel.XSSFRichTextString) RichTextString(org.apache.poi.ss.usermodel.RichTextString) LDAPEntry(com.novell.ldap.LDAPEntry) TremoloUser(com.tremolosecurity.provisioning.service.util.TremoloUser) HashSet(java.util.HashSet) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) WFCall(com.tremolosecurity.provisioning.service.util.WFCall) PreCheckResponse(com.tremolosecurity.scalejs.data.PreCheckResponse) AuthController(com.tremolosecurity.proxy.auth.AuthController) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) LDAPException(com.novell.ldap.LDAPException) SQLException(java.sql.SQLException) IOException(java.io.IOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) MalformedURLException(java.net.MalformedURLException) OrgType(com.tremolosecurity.config.xml.OrgType) ReportType(com.tremolosecurity.config.xml.ReportType) ReportsType(com.tremolosecurity.config.xml.ReportsType) PortalUrlsType(com.tremolosecurity.config.xml.PortalUrlsType) ApplicationType(com.tremolosecurity.config.xml.ApplicationType) Type(java.lang.reflect.Type) PortalUrlType(com.tremolosecurity.config.xml.PortalUrlType) ParamType(com.tremolosecurity.config.xml.ParamType) AzRuleType(com.tremolosecurity.config.xml.AzRuleType) WorkflowType(com.tremolosecurity.config.xml.WorkflowType) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) OrgType(com.tremolosecurity.config.xml.OrgType) WorkflowType(com.tremolosecurity.config.xml.WorkflowType) AzSys(com.tremolosecurity.proxy.auth.AzSys) WorkflowRequest(com.tremolosecurity.scalejs.data.WorkflowRequest)

Aggregations

LDAPException (com.novell.ldap.LDAPException)2 AzRuleType (com.tremolosecurity.config.xml.AzRuleType)2 OrgType (com.tremolosecurity.config.xml.OrgType)2 PortalUrlType (com.tremolosecurity.config.xml.PortalUrlType)2 PortalUrlsType (com.tremolosecurity.config.xml.PortalUrlsType)2 WorkflowType (com.tremolosecurity.config.xml.WorkflowType)2 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)2 AuthController (com.tremolosecurity.proxy.auth.AuthController)2 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)2 AzSys (com.tremolosecurity.proxy.auth.AzSys)2 PreCheckResponse (com.tremolosecurity.scalejs.data.PreCheckResponse)2 IOException (java.io.IOException)2 UnsupportedEncodingException (java.io.UnsupportedEncodingException)2 MalformedURLException (java.net.MalformedURLException)2 SQLException (java.sql.SQLException)2 ArrayList (java.util.ArrayList)2 HashMap (java.util.HashMap)2 HashSet (java.util.HashSet)2 RichTextString (org.apache.poi.ss.usermodel.RichTextString)2 XSSFRichTextString (org.apache.poi.xssf.usermodel.XSSFRichTextString)2