Search in sources :

Example 1 with OktaTarget

use of com.tremolosecurity.unison.okta.provisioning.OktaTarget in project OpenUnison by TremoloSecurity.

the class LoadGroupsFromOkta method validate.

@Override
public String validate(String value, HttpFilterRequest request) throws Exception {
    if (targetName == null) {
        throw new Exception("targetName not configured");
    }
    OktaTarget okta = (OktaTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.targetName).getProvider();
    if (okta == null) {
        throw new Exception("The target " + targetName + " does not exist");
    }
    Client client = okta.getOkta();
    GroupList groupList = client.listGroups(value, null, null);
    Group group = groupList.single();
    if (group == null || !group.getProfile().getName().equals(value)) {
        return this.errorMessage;
    } else {
        return null;
    }
}
Also used : Group(com.okta.sdk.resource.group.Group) GroupList(com.okta.sdk.resource.group.GroupList) OktaTarget(com.tremolosecurity.unison.okta.provisioning.OktaTarget) Client(com.okta.sdk.client.Client)

Example 2 with OktaTarget

use of com.tremolosecurity.unison.okta.provisioning.OktaTarget in project OpenUnison by TremoloSecurity.

the class LoadGroupsFromOkta method getSourceList.

@Override
public List<NVP> getSourceList(HttpFilterRequest request) throws Exception {
    if (targetName == null) {
        throw new Exception("targetName not configured");
    }
    OktaTarget okta = (OktaTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.targetName).getProvider();
    if (okta == null) {
        throw new Exception("The target " + targetName + " does not exist");
    }
    Client client = okta.getOkta();
    if (request.getParameter("search") == null) {
        ArrayList<NVP> toReturn = new ArrayList<NVP>();
        GroupList groupList = client.listGroups();
        int i = 0;
        for (Group group : groupList) {
            toReturn.add(new NVP(group.getProfile().getName(), group.getProfile().getName()));
            if (this.dynSearch && i >= this.maxEntries) {
                break;
            }
        }
        Collections.sort(toReturn, new Comparator<NVP>() {

            @Override
            public int compare(NVP arg0, NVP arg1) {
                return arg0.getName().compareTo(arg1.getName());
            }
        });
        return toReturn;
    } else {
        int i = 0;
        ArrayList<NVP> toReturn = new ArrayList<NVP>();
        GroupList groupList = client.listGroups(request.getParameter("search").getValues().get(0), null, null);
        for (Group group : groupList) {
            toReturn.add(new NVP(group.getProfile().getName(), group.getProfile().getName()));
            i++;
            if (i >= this.maxEntries) {
                break;
            }
        }
        Collections.sort(toReturn, new Comparator<NVP>() {

            @Override
            public int compare(NVP arg0, NVP arg1) {
                return arg0.getName().compareTo(arg1.getName());
            }
        });
        return toReturn;
    }
}
Also used : Group(com.okta.sdk.resource.group.Group) GroupList(com.okta.sdk.resource.group.GroupList) OktaTarget(com.tremolosecurity.unison.okta.provisioning.OktaTarget) ArrayList(java.util.ArrayList) NVP(com.tremolosecurity.util.NVP) Client(com.okta.sdk.client.Client)

Example 3 with OktaTarget

use of com.tremolosecurity.unison.okta.provisioning.OktaTarget in project OpenUnison by TremoloSecurity.

the class OktaInsert method search.

@Override
public void search(SearchInterceptorChain chain, DistinguishedName base, Int scope, Filter filter, ArrayList<Attribute> attributes, Bool typesOnly, Results results, LDAPSearchConstraints constraints) throws LDAPException {
    OktaTarget os = null;
    try {
        os = (OktaTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.target).getProvider();
    } catch (ProvisioningException e1) {
        logger.error("Could not retrieve kubernetes target", e1);
        throw new LDAPException("Could not connect to kubernetes", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR));
    }
    // base search
    if (scope.getValue() == 0) {
        // dir root
        if (base.getDN().equals(this.baseDN)) {
            ArrayList<Entry> ret = new ArrayList<Entry>();
            ret.add(new Entry(EntryUtil.createBaseEntry(this.baseDN)));
            chain.addResult(results, new IteratorEntrySet(ret.iterator()), base, scope, filter, attributes, typesOnly, constraints);
            return;
        } else {
            if (this.users) {
                String name = ((RDN) base.getDN().getRDNs().get(0)).getValue();
                loadUserFromOkta(chain, base, scope, filter, attributes, typesOnly, results, constraints, os, name, base.getDN().toString(), true);
            } else {
                String name = ((RDN) base.getDN().getRDNs().get(0)).getValue();
                Client okta = os.getOkta();
                GroupList groupList = null;
                Group fromOkta = null;
                try {
                    ArrayList<Entry> ret = new ArrayList<Entry>();
                    loadGroupFromOkta(base, filter, name, okta, ret);
                    chain.addResult(results, new IteratorEntrySet(ret.iterator()), base, scope, filter, attributes, typesOnly, constraints);
                } catch (ResourceException e) {
                    if (e.getStatus() == 404) {
                        throw new LDAPException("group not found", LDAPException.NO_SUCH_OBJECT, LDAPException.resultCodeToString(LDAPException.NO_SUCH_OBJECT));
                    } else {
                        throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
                    }
                } catch (UnsupportedEncodingException e) {
                    throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
                } catch (IllegalStateException e) {
                    throw new LDAPException("group not found", LDAPException.NO_SUCH_OBJECT, LDAPException.resultCodeToString(LDAPException.NO_SUCH_OBJECT));
                }
            }
            return;
        }
    } else /*else if (scope.getValue() == 1) {
        	if (base.getDN().equals(this.baseDN)) {
        		
        		if (this.users) {
	        		String name = userFromFilter(filter.getRoot());
	        		
	        		loadUserFromOkta(chain, base, scope, filter, attributes, typesOnly, results, constraints, os, name,new StringBuilder().append("login=").append(name).append(",").append(base.getDN().toString()).toString(),false);
        		}
        		
				return;
        	}
        }*/
    {
        // only subtree left
        // String name = userFromFilter(filter.getRoot());
        // loadUserFromOkta(chain, base, scope, filter, attributes, typesOnly, results, constraints, os, name,new StringBuilder().append("uid=").append(name).append(",").append(this.baseDN.toString()).toString(),false);
        Client okta = os.getOkta();
        Filter newFilter = new Filter(filter.getRoot().toString());
        String finalOktaFilter = null;
        if (this.cleanFilter(newFilter.getRoot())) {
            StringBuffer filterForOkta = new StringBuffer();
            this.stringFilter(newFilter.getRoot(), filterForOkta);
            finalOktaFilter = filterForOkta.toString();
        }
        if (logger.isDebugEnabled()) {
            logger.debug(newFilter.getRoot().toString());
        }
        if (this.users) {
            UserList usersFromOkta = okta.listUsers(null, finalOktaFilter, null, null, null);
            StringBuilder sb = new StringBuilder();
            ArrayList<Entry> ret = new ArrayList<Entry>();
            for (User user : usersFromOkta) {
                if (logger.isDebugEnabled()) {
                    logger.debug(user);
                }
                sb.setLength(0);
                sb.append("login=").append(user.getProfile().getLogin().replace("+", "\\+")).append(",").append(this.baseDN.toString());
                LDAPEntry ldapUser = createLdapUser(sb.toString(), user);
                if (filter.getRoot().checkEntry(ldapUser)) {
                    ret.add(new Entry(ldapUser));
                }
            }
            chain.addResult(results, new IteratorEntrySet(ret.iterator()), base, scope, filter, attributes, typesOnly, constraints);
        } else {
            HashSet<String> groupsToLookup = new HashSet<String>();
            HashSet<String> usersToLookup = new HashSet<String>();
            loadGroups(filter.getRoot(), groupsToLookup, usersToLookup);
            StringBuilder sb = new StringBuilder();
            HashSet<String> processedGroups = new HashSet<String>();
            ArrayList<Entry> ret = new ArrayList<Entry>();
            if (usersToLookup.size() > 0) {
                sb.setLength(0);
                for (String username : usersToLookup) {
                    sb.append("profile.login eq \"").append(username).append("\" or ");
                }
                String searchFilter = sb.toString();
                searchFilter = searchFilter.substring(0, searchFilter.length() - 3);
                UserList users = okta.listUsers(null, searchFilter, null, null, null);
                for (User fromOkta : users) {
                    GroupList memberships = fromOkta.listGroups();
                    for (Group groupFromOkta : memberships) {
                        if (!processedGroups.contains(groupFromOkta.getProfile().getName())) {
                            try {
                                processedGroups.add(groupFromOkta.getProfile().getName());
                                sb.setLength(0);
                                sb.append("name=").append(groupFromOkta.getProfile().getName().replace("+", "\\+")).append(",").append(this.baseDN.toString());
                                LDAPEntry entry = new LDAPEntry(sb.toString());
                                try {
                                    this.oktaGroup2Ldap(filter, ret, groupFromOkta, entry);
                                } catch (UnsupportedEncodingException e) {
                                    throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
                                }
                            } catch (IllegalStateException e) {
                            // no nothing
                            }
                        }
                    }
                }
            }
            if (groupsToLookup.size() > 0) {
                for (String group : groupsToLookup) {
                    if (!processedGroups.contains(group)) {
                        GroupList groups = okta.listGroups(group, null, null);
                        processedGroups.add(group);
                        try {
                            Group groupFromOkta = groups.single();
                            sb.setLength(0);
                            sb.append("name=").append(groupFromOkta.getProfile().getName().replace("+", "\\+")).append(",").append(this.baseDN.toString());
                            LDAPEntry entry = new LDAPEntry(sb.toString());
                            try {
                                this.oktaGroup2Ldap(filter, ret, groupFromOkta, entry);
                            } catch (UnsupportedEncodingException e) {
                                throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
                            }
                        } catch (IllegalStateException e) {
                        // no nothing
                        }
                    }
                }
            }
            if (usersToLookup.size() == 0 && groupsToLookup.size() == 0) {
                GroupList groups = okta.listGroups();
                try {
                    for (Group groupFromOkta : groups) {
                        sb.setLength(0);
                        sb.append("name=").append(groupFromOkta.getProfile().getName().replace("+", "\\+")).append(",").append(this.baseDN.toString());
                        LDAPEntry entry = new LDAPEntry(sb.toString());
                        try {
                            this.oktaGroup2Ldap(filter, ret, groupFromOkta, entry);
                        } catch (UnsupportedEncodingException e) {
                            throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
                        }
                    }
                } catch (IllegalStateException e) {
                // no nothing
                }
            }
            chain.addResult(results, new IteratorEntrySet(ret.iterator()), base, scope, filter, attributes, typesOnly, constraints);
        }
        return;
    }
}
Also used : Group(com.okta.sdk.resource.group.Group) User(com.okta.sdk.resource.user.User) ArrayList(java.util.ArrayList) UnsupportedEncodingException(java.io.UnsupportedEncodingException) IteratorEntrySet(net.sourceforge.myvd.util.IteratorEntrySet) Entry(net.sourceforge.myvd.types.Entry) LDAPEntry(com.novell.ldap.LDAPEntry) LDAPEntry(com.novell.ldap.LDAPEntry) LDAPException(com.novell.ldap.LDAPException) GroupList(com.okta.sdk.resource.group.GroupList) Filter(net.sourceforge.myvd.types.Filter) OktaTarget(com.tremolosecurity.unison.okta.provisioning.OktaTarget) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) ResourceException(com.okta.sdk.resource.ResourceException) AuthenticationClient(com.okta.authn.sdk.client.AuthenticationClient) Client(com.okta.sdk.client.Client) RDN(com.novell.ldap.util.RDN) UserList(com.okta.sdk.resource.user.UserList) HashSet(java.util.HashSet)

Example 4 with OktaTarget

use of com.tremolosecurity.unison.okta.provisioning.OktaTarget in project OpenUnison by TremoloSecurity.

the class OktaInsert method bind.

@Override
public void bind(BindInterceptorChain chain, DistinguishedName dn, Password pwd, LDAPConstraints constraints) throws LDAPException {
    if (!this.users) {
        throw new LDAPException("Unsupported", LDAPException.UNWILLING_TO_PERFORM, LDAPException.resultCodeToString(LDAPException.UNWILLING_TO_PERFORM));
    }
    RDN rdn = (RDN) dn.getDN().getRDNs().get(0);
    if (!rdn.getType().equalsIgnoreCase("login")) {
        throw new LDAPException("Unsupported", LDAPException.UNWILLING_TO_PERFORM, LDAPException.resultCodeToString(LDAPException.UNWILLING_TO_PERFORM));
    }
    String userid = rdn.getValue();
    userid = userid.replace("\\+", "+");
    OktaTarget os = null;
    try {
        os = (OktaTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.target).getProvider();
    } catch (ProvisioningException e1) {
        logger.error("Could not retrieve kubernetes target", e1);
        throw new LDAPException("Could not connect to kubernetes", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR));
    }
    AuthenticationClient client = AuthenticationClients.builder().setOrgUrl(os.getDomain()).build();
    String pwdStr = new String(pwd.getValue());
    LDAPException ldapRes;
    try {
        OktaAuthResponse authResp = new OktaAuthResponse(userid);
        client.authenticate(userid, pwdStr.toCharArray(), "", authResp);
        if (authResp.getResult() != null) {
            throw authResp.getResult();
        }
    } catch (AuthenticationException e) {
        if (e.getStatus() == 401) {
            throw new LDAPException("Could not authenticate", LDAPException.INVALID_CREDENTIALS, LDAPException.resultCodeToString(LDAPException.INVALID_CREDENTIALS));
        } else {
            logger.error("Unexpected authenticaiton error", e);
            throw new LDAPException("Unexpected authentication error", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR));
        }
    }
}
Also used : LDAPException(com.novell.ldap.LDAPException) AuthenticationException(com.okta.authn.sdk.AuthenticationException) OktaTarget(com.tremolosecurity.unison.okta.provisioning.OktaTarget) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) AuthenticationClient(com.okta.authn.sdk.client.AuthenticationClient) RDN(com.novell.ldap.util.RDN)

Aggregations

OktaTarget (com.tremolosecurity.unison.okta.provisioning.OktaTarget)4 Client (com.okta.sdk.client.Client)3 Group (com.okta.sdk.resource.group.Group)3 GroupList (com.okta.sdk.resource.group.GroupList)3 LDAPException (com.novell.ldap.LDAPException)2 RDN (com.novell.ldap.util.RDN)2 AuthenticationClient (com.okta.authn.sdk.client.AuthenticationClient)2 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)2 ArrayList (java.util.ArrayList)2 LDAPEntry (com.novell.ldap.LDAPEntry)1 AuthenticationException (com.okta.authn.sdk.AuthenticationException)1 ResourceException (com.okta.sdk.resource.ResourceException)1 User (com.okta.sdk.resource.user.User)1 UserList (com.okta.sdk.resource.user.UserList)1 NVP (com.tremolosecurity.util.NVP)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 HashSet (java.util.HashSet)1 Entry (net.sourceforge.myvd.types.Entry)1 Filter (net.sourceforge.myvd.types.Filter)1 IteratorEntrySet (net.sourceforge.myvd.util.IteratorEntrySet)1