Example 1 with OktaTarget
use of com.tremolosecurity.unison.okta.provisioning.OktaTarget in project OpenUnison by TremoloSecurity.
the class LoadGroupsFromOkta method validate.
@Override
public String validate(String value, HttpFilterRequest request) throws Exception {
if (targetName == null) {
throw new Exception("targetName not configured");
}
OktaTarget okta = (OktaTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.targetName).getProvider();
if (okta == null) {
throw new Exception("The target " + targetName + " does not exist");
}
Client client = okta.getOkta();
GroupList groupList = client.listGroups(value, null, null);
Group group = groupList.single();
if (group == null || !group.getProfile().getName().equals(value)) {
return this.errorMessage;
} else {
return null;
}
}
Also used :
Group(com.okta.sdk.resource.group.Group)
GroupList(com.okta.sdk.resource.group.GroupList)
OktaTarget(com.tremolosecurity.unison.okta.provisioning.OktaTarget)
Client(com.okta.sdk.client.Client)
Example 2 with OktaTarget
use of com.tremolosecurity.unison.okta.provisioning.OktaTarget in project OpenUnison by TremoloSecurity.
the class LoadGroupsFromOkta method getSourceList.
@Override
public List<NVP> getSourceList(HttpFilterRequest request) throws Exception {
if (targetName == null) {
throw new Exception("targetName not configured");
}
OktaTarget okta = (OktaTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.targetName).getProvider();
if (okta == null) {
throw new Exception("The target " + targetName + " does not exist");
}
Client client = okta.getOkta();
if (request.getParameter("search") == null) {
ArrayList<NVP> toReturn = new ArrayList<NVP>();
GroupList groupList = client.listGroups();
int i = 0;
for (Group group : groupList) {
toReturn.add(new NVP(group.getProfile().getName(), group.getProfile().getName()));
if (this.dynSearch && i >= this.maxEntries) {
break;
}
}
Collections.sort(toReturn, new Comparator<NVP>() {
@Override
public int compare(NVP arg0, NVP arg1) {
return arg0.getName().compareTo(arg1.getName());
}
});
return toReturn;
} else {
int i = 0;
ArrayList<NVP> toReturn = new ArrayList<NVP>();
GroupList groupList = client.listGroups(request.getParameter("search").getValues().get(0), null, null);
for (Group group : groupList) {
toReturn.add(new NVP(group.getProfile().getName(), group.getProfile().getName()));
i++;
if (i >= this.maxEntries) {
break;
}
}
Collections.sort(toReturn, new Comparator<NVP>() {
@Override
public int compare(NVP arg0, NVP arg1) {
return arg0.getName().compareTo(arg1.getName());
}
});
return toReturn;
}
}Example 3 with OktaTarget
use of com.tremolosecurity.unison.okta.provisioning.OktaTarget in project OpenUnison by TremoloSecurity.
the class OktaInsert method search.
@Override
public void search(SearchInterceptorChain chain, DistinguishedName base, Int scope, Filter filter, ArrayList<Attribute> attributes, Bool typesOnly, Results results, LDAPSearchConstraints constraints) throws LDAPException {
OktaTarget os = null;
try {
os = (OktaTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.target).getProvider();
} catch (ProvisioningException e1) {
logger.error("Could not retrieve kubernetes target", e1);
throw new LDAPException("Could not connect to kubernetes", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR));
}
// base search
if (scope.getValue() == 0) {
// dir root
if (base.getDN().equals(this.baseDN)) {
ArrayList<Entry> ret = new ArrayList<Entry>();
ret.add(new Entry(EntryUtil.createBaseEntry(this.baseDN)));
chain.addResult(results, new IteratorEntrySet(ret.iterator()), base, scope, filter, attributes, typesOnly, constraints);
return;
} else {
if (this.users) {
String name = ((RDN) base.getDN().getRDNs().get(0)).getValue();
loadUserFromOkta(chain, base, scope, filter, attributes, typesOnly, results, constraints, os, name, base.getDN().toString(), true);
} else {
String name = ((RDN) base.getDN().getRDNs().get(0)).getValue();
Client okta = os.getOkta();
GroupList groupList = null;
Group fromOkta = null;
try {
ArrayList<Entry> ret = new ArrayList<Entry>();
loadGroupFromOkta(base, filter, name, okta, ret);
chain.addResult(results, new IteratorEntrySet(ret.iterator()), base, scope, filter, attributes, typesOnly, constraints);
} catch (ResourceException e) {
if (e.getStatus() == 404) {
throw new LDAPException("group not found", LDAPException.NO_SUCH_OBJECT, LDAPException.resultCodeToString(LDAPException.NO_SUCH_OBJECT));
} else {
throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
}
} catch (UnsupportedEncodingException e) {
throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
} catch (IllegalStateException e) {
throw new LDAPException("group not found", LDAPException.NO_SUCH_OBJECT, LDAPException.resultCodeToString(LDAPException.NO_SUCH_OBJECT));
}
}
return;
}
} else /*else if (scope.getValue() == 1) {
if (base.getDN().equals(this.baseDN)) {
if (this.users) {
String name = userFromFilter(filter.getRoot());
loadUserFromOkta(chain, base, scope, filter, attributes, typesOnly, results, constraints, os, name,new StringBuilder().append("login=").append(name).append(",").append(base.getDN().toString()).toString(),false);
}
return;
}
}*/
{
// only subtree left
// String name = userFromFilter(filter.getRoot());
// loadUserFromOkta(chain, base, scope, filter, attributes, typesOnly, results, constraints, os, name,new StringBuilder().append("uid=").append(name).append(",").append(this.baseDN.toString()).toString(),false);
Client okta = os.getOkta();
Filter newFilter = new Filter(filter.getRoot().toString());
String finalOktaFilter = null;
if (this.cleanFilter(newFilter.getRoot())) {
StringBuffer filterForOkta = new StringBuffer();
this.stringFilter(newFilter.getRoot(), filterForOkta);
finalOktaFilter = filterForOkta.toString();
}
if (logger.isDebugEnabled()) {
logger.debug(newFilter.getRoot().toString());
}
if (this.users) {
UserList usersFromOkta = okta.listUsers(null, finalOktaFilter, null, null, null);
StringBuilder sb = new StringBuilder();
ArrayList<Entry> ret = new ArrayList<Entry>();
for (User user : usersFromOkta) {
if (logger.isDebugEnabled()) {
logger.debug(user);
}
sb.setLength(0);
sb.append("login=").append(user.getProfile().getLogin().replace("+", "\\+")).append(",").append(this.baseDN.toString());
LDAPEntry ldapUser = createLdapUser(sb.toString(), user);
if (filter.getRoot().checkEntry(ldapUser)) {
ret.add(new Entry(ldapUser));
}
}
chain.addResult(results, new IteratorEntrySet(ret.iterator()), base, scope, filter, attributes, typesOnly, constraints);
} else {
HashSet<String> groupsToLookup = new HashSet<String>();
HashSet<String> usersToLookup = new HashSet<String>();
loadGroups(filter.getRoot(), groupsToLookup, usersToLookup);
StringBuilder sb = new StringBuilder();
HashSet<String> processedGroups = new HashSet<String>();
ArrayList<Entry> ret = new ArrayList<Entry>();
if (usersToLookup.size() > 0) {
sb.setLength(0);
for (String username : usersToLookup) {
sb.append("profile.login eq \"").append(username).append("\" or ");
}
String searchFilter = sb.toString();
searchFilter = searchFilter.substring(0, searchFilter.length() - 3);
UserList users = okta.listUsers(null, searchFilter, null, null, null);
for (User fromOkta : users) {
GroupList memberships = fromOkta.listGroups();
for (Group groupFromOkta : memberships) {
if (!processedGroups.contains(groupFromOkta.getProfile().getName())) {
try {
processedGroups.add(groupFromOkta.getProfile().getName());
sb.setLength(0);
sb.append("name=").append(groupFromOkta.getProfile().getName().replace("+", "\\+")).append(",").append(this.baseDN.toString());
LDAPEntry entry = new LDAPEntry(sb.toString());
try {
this.oktaGroup2Ldap(filter, ret, groupFromOkta, entry);
} catch (UnsupportedEncodingException e) {
throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
}
} catch (IllegalStateException e) {
// no nothing
}
}
}
}
}
if (groupsToLookup.size() > 0) {
for (String group : groupsToLookup) {
if (!processedGroups.contains(group)) {
GroupList groups = okta.listGroups(group, null, null);
processedGroups.add(group);
try {
Group groupFromOkta = groups.single();
sb.setLength(0);
sb.append("name=").append(groupFromOkta.getProfile().getName().replace("+", "\\+")).append(",").append(this.baseDN.toString());
LDAPEntry entry = new LDAPEntry(sb.toString());
try {
this.oktaGroup2Ldap(filter, ret, groupFromOkta, entry);
} catch (UnsupportedEncodingException e) {
throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
}
} catch (IllegalStateException e) {
// no nothing
}
}
}
}
if (usersToLookup.size() == 0 && groupsToLookup.size() == 0) {
GroupList groups = okta.listGroups();
try {
for (Group groupFromOkta : groups) {
sb.setLength(0);
sb.append("name=").append(groupFromOkta.getProfile().getName().replace("+", "\\+")).append(",").append(this.baseDN.toString());
LDAPEntry entry = new LDAPEntry(sb.toString());
try {
this.oktaGroup2Ldap(filter, ret, groupFromOkta, entry);
} catch (UnsupportedEncodingException e) {
throw new LDAPException("Could not load group", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR), e);
}
}
} catch (IllegalStateException e) {
// no nothing
}
}
chain.addResult(results, new IteratorEntrySet(ret.iterator()), base, scope, filter, attributes, typesOnly, constraints);
}
return;
}
}
Also used :
Group(com.okta.sdk.resource.group.Group)
User(com.okta.sdk.resource.user.User)
ArrayList(java.util.ArrayList)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
IteratorEntrySet(net.sourceforge.myvd.util.IteratorEntrySet)
Entry(net.sourceforge.myvd.types.Entry)
LDAPEntry(com.novell.ldap.LDAPEntry)
LDAPEntry(com.novell.ldap.LDAPEntry)
LDAPException(com.novell.ldap.LDAPException)
GroupList(com.okta.sdk.resource.group.GroupList)
Filter(net.sourceforge.myvd.types.Filter)
OktaTarget(com.tremolosecurity.unison.okta.provisioning.OktaTarget)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
ResourceException(com.okta.sdk.resource.ResourceException)
AuthenticationClient(com.okta.authn.sdk.client.AuthenticationClient)
Client(com.okta.sdk.client.Client)
RDN(com.novell.ldap.util.RDN)
UserList(com.okta.sdk.resource.user.UserList)
HashSet(java.util.HashSet)
Example 4 with OktaTarget
use of com.tremolosecurity.unison.okta.provisioning.OktaTarget in project OpenUnison by TremoloSecurity.
the class OktaInsert method bind.
@Override
public void bind(BindInterceptorChain chain, DistinguishedName dn, Password pwd, LDAPConstraints constraints) throws LDAPException {
if (!this.users) {
throw new LDAPException("Unsupported", LDAPException.UNWILLING_TO_PERFORM, LDAPException.resultCodeToString(LDAPException.UNWILLING_TO_PERFORM));
}
RDN rdn = (RDN) dn.getDN().getRDNs().get(0);
if (!rdn.getType().equalsIgnoreCase("login")) {
throw new LDAPException("Unsupported", LDAPException.UNWILLING_TO_PERFORM, LDAPException.resultCodeToString(LDAPException.UNWILLING_TO_PERFORM));
}
String userid = rdn.getValue();
userid = userid.replace("\\+", "+");
OktaTarget os = null;
try {
os = (OktaTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.target).getProvider();
} catch (ProvisioningException e1) {
logger.error("Could not retrieve kubernetes target", e1);
throw new LDAPException("Could not connect to kubernetes", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR));
}
AuthenticationClient client = AuthenticationClients.builder().setOrgUrl(os.getDomain()).build();
String pwdStr = new String(pwd.getValue());
LDAPException ldapRes;
try {
OktaAuthResponse authResp = new OktaAuthResponse(userid);
client.authenticate(userid, pwdStr.toCharArray(), "", authResp);
if (authResp.getResult() != null) {
throw authResp.getResult();
}
} catch (AuthenticationException e) {
if (e.getStatus() == 401) {
throw new LDAPException("Could not authenticate", LDAPException.INVALID_CREDENTIALS, LDAPException.resultCodeToString(LDAPException.INVALID_CREDENTIALS));
} else {
logger.error("Unexpected authenticaiton error", e);
throw new LDAPException("Unexpected authentication error", LDAPException.OPERATIONS_ERROR, LDAPException.resultCodeToString(LDAPException.OPERATIONS_ERROR));
}
}
}
Also used :
LDAPException(com.novell.ldap.LDAPException)
AuthenticationException(com.okta.authn.sdk.AuthenticationException)
OktaTarget(com.tremolosecurity.unison.okta.provisioning.OktaTarget)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
AuthenticationClient(com.okta.authn.sdk.client.AuthenticationClient)
RDN(com.novell.ldap.util.RDN)
Aggregations
OktaTarget (com.tremolosecurity.unison.okta.provisioning.OktaTarget)4
Client (com.okta.sdk.client.Client)3
Group (com.okta.sdk.resource.group.Group)3
GroupList (com.okta.sdk.resource.group.GroupList)3
LDAPException (com.novell.ldap.LDAPException)2
RDN (com.novell.ldap.util.RDN)2
AuthenticationClient (com.okta.authn.sdk.client.AuthenticationClient)2
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)2
ArrayList (java.util.ArrayList)2
LDAPEntry (com.novell.ldap.LDAPEntry)1
AuthenticationException (com.okta.authn.sdk.AuthenticationException)1
ResourceException (com.okta.sdk.resource.ResourceException)1
User (com.okta.sdk.resource.user.User)1
UserList (com.okta.sdk.resource.user.UserList)1
NVP (com.tremolosecurity.util.NVP)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
HashSet (java.util.HashSet)1
Entry (net.sourceforge.myvd.types.Entry)1
Filter (net.sourceforge.myvd.types.Filter)1
IteratorEntrySet (net.sourceforge.myvd.util.IteratorEntrySet)1
