Example 1 with Response
use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.
the class OpenShiftTarget method removeUserFromGroup.
public void removeUserFromGroup(String token, HttpCon con, String userName, String groupName, int approvalID, Workflow workflow) throws Exception {
Gson gson = new Gson();
StringBuffer b = new StringBuffer();
b.append("/apis/user.openshift.io/v1/groups/").append(groupName);
String json = this.callWS(token, con, b.toString());
com.tremolosecurity.unison.openshiftv3.model.groups.Group group = gson.fromJson(json, com.tremolosecurity.unison.openshiftv3.model.groups.Group.class);
if (group.getUsers() == null) {
group.setUsers(new HashSet<String>());
}
if (group.getUsers().contains(userName)) {
group.getUsers().remove(userName);
json = gson.toJson(group);
json = this.callWSPut(token, con, b.toString(), json);
Response resp = gson.fromJson(json, Response.class);
if (resp.getKind().equals("Group")) {
this.cfgMgr.getProvisioningEngine().logAction(name, false, ActionType.Delete, approvalID, workflow, "group", groupName);
} else {
throw new Exception("Could not remove group " + groupName + " to " + userName + " - " + resp.getReason());
}
}
}
Also used :
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
Response(com.tremolosecurity.unison.openshiftv3.model.Response)
HttpResponse(org.apache.http.HttpResponse)
Gson(com.google.gson.Gson)
KeyStoreException(java.security.KeyStoreException)
StreamException(org.cryptacular.StreamException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
KeyManagementException(java.security.KeyManagementException)
JoseException(org.jose4j.lang.JoseException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ClientProtocolException(org.apache.http.client.ClientProtocolException)
ParseException(org.json.simple.parser.ParseException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
EncodingException(org.cryptacular.EncodingException)
IOException(java.io.IOException)
Example 2 with Response
use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.
the class OpenShiftTarget method addGroup.
@Override
public void addGroup(String name, Map<String, String> additionalAttributes, User user, Map<String, Object> request) throws ProvisioningException {
HttpCon con = null;
int approvalID = 0;
if (request.containsKey("APPROVAL_ID")) {
approvalID = (Integer) request.get("APPROVAL_ID");
}
Workflow workflow = (Workflow) request.get("WORKFLOW");
try {
String token = this.getAuthToken();
con = this.createClient();
Gson gson = new Gson();
// first lets see if the group exists
StringBuilder sb = new StringBuilder();
sb.append("/apis/user.openshift.io/v1/groups/").append(name);
com.tremolosecurity.unison.openshiftv3.model.groups.Group group = new com.tremolosecurity.unison.openshiftv3.model.groups.Group();
group.setKind("Group");
group.setApiVersion("user.openshift.io/v1");
group.setMetadata(new HashMap<String, Object>());
group.getMetadata().put("name", name);
group.getMetadata().put("creationTimestamp", null);
group.setUsers(null);
String jsonInput = gson.toJson(group);
if (!this.isObjectExists(token, con, "/apis/user.openshift.io/v1/groups", jsonInput)) {
String json = this.callWSPost(token, con, "/apis/user.openshift.io/v1/groups", jsonInput);
Response resp = gson.fromJson(json, Response.class);
if (resp.getKind().equalsIgnoreCase("Group")) {
this.cfgMgr.getProvisioningEngine().logAction(name, true, ActionType.Add, approvalID, workflow, "group-object", name);
} else {
throw new ProvisioningException("Unknown response : '" + json + "'");
}
}
} catch (Exception e) {
throw new ProvisioningException("Could not load group", e);
} finally {
if (con != null) {
con.getBcm().close();
}
}
}
Also used :
UserStoreProviderWithAddGroup(com.tremolosecurity.provisioning.core.UserStoreProviderWithAddGroup)
Workflow(com.tremolosecurity.provisioning.core.Workflow)
Gson(com.google.gson.Gson)
KeyStoreException(java.security.KeyStoreException)
StreamException(org.cryptacular.StreamException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
KeyManagementException(java.security.KeyManagementException)
JoseException(org.jose4j.lang.JoseException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ClientProtocolException(org.apache.http.client.ClientProtocolException)
ParseException(org.json.simple.parser.ParseException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
EncodingException(org.cryptacular.EncodingException)
IOException(java.io.IOException)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
Response(com.tremolosecurity.unison.openshiftv3.model.Response)
HttpResponse(org.apache.http.HttpResponse)
HttpCon(com.tremolosecurity.provisioning.util.HttpCon)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
JSONObject(org.json.simple.JSONObject)
Example 3 with Response
use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.
the class AddGroupToRole method addToRBACRole.
private void addToRBACRole(OpenShiftTarget os, String token, HttpCon con, String localProjectName, String localPolicyName, String localGroupName, int approvalID) throws Exception {
String roleBindingUri = new StringBuilder().append(this.openShiftVersion == 3.9 ? "/apis/rbac.authorization.k8s.io/v1/namespaces/" : "/apis/rbac.authorization.k8s.io/v1beta1/namespaces/").append(localProjectName).append("/rolebindings/").append(localPolicyName).toString();
String json = os.callWS(token, con, roleBindingUri);
if (logger.isDebugEnabled()) {
logger.debug("Policy binding : '" + json + "'");
}
JSONParser parser = new JSONParser();
JSONObject rb = (JSONObject) parser.parse(json);
if (rb.get("status") != null && rb.get("status").equals("Failure")) {
throw new ProvisioningException("Role binding : '" + localPolicyName + "' does not exist");
}
JSONArray subjects = (JSONArray) rb.get("subjects");
if (subjects != null) {
for (Object o : subjects) {
JSONObject jo = (JSONObject) o;
if (jo.get("kind").equals("Group") && jo.get("name").equals(localGroupName)) {
logger.warn(localGroupName + " already in policy " + localPolicyName + " on project " + localProjectName);
return;
}
}
} else {
subjects = new JSONArray();
rb.put("subjects", subjects);
}
JSONObject binding = new JSONObject();
binding.put("kind", "Group");
binding.put("apiGroup", "rbac.authorization.k8s.io");
binding.put("name", localGroupName);
subjects.add(binding);
String jsonResp = os.callWSPut(token, con, roleBindingUri, rb.toJSONString());
Gson gson = new Gson();
Response resp = gson.fromJson(jsonResp, Response.class);
if (resp.getStatus() != null) {
throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + jsonResp);
} else {
this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
}
}
Also used :
Response(com.tremolosecurity.unison.openshiftv3.model.Response)
JSONObject(org.json.simple.JSONObject)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
JSONArray(org.json.simple.JSONArray)
Gson(com.google.gson.Gson)
JSONParser(org.json.simple.parser.JSONParser)
JSONObject(org.json.simple.JSONObject)
Example 4 with Response
use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.
the class AddGroupToRole method addTo36Role.
private void addTo36Role(OpenShiftTarget os, String token, HttpCon con, String localProjectName, String localPolicyName, String localGroupName, int approvalID) throws Exception {
String roleBindingUri = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/policybindings").toString();
String json = os.callWS(token, con, roleBindingUri);
if (logger.isDebugEnabled()) {
logger.debug("All policy bindings : '" + json + "'");
}
JSONParser parser = new JSONParser();
JSONObject pbl = (JSONObject) parser.parse(json);
JSONArray items = (JSONArray) pbl.get("items");
JSONArray rb = (JSONArray) ((JSONObject) items.get(0)).get("roleBindings");
JSONObject foundRoleBinding = null;
boolean foundInGroupName = false;
boolean foundInSubjects = false;
boolean foundPolicy = false;
for (Object o : rb) {
JSONObject binding = (JSONObject) o;
if (binding.get("name").equals(localPolicyName)) {
foundPolicy = true;
JSONObject rbx = (JSONObject) binding.get("roleBinding");
foundRoleBinding = rbx;
JSONArray groupNames = (JSONArray) rbx.get("groupNames");
if (groupNames != null) {
for (Object o1 : groupNames) {
String groupName = (String) o1;
if (groupName.equalsIgnoreCase(localGroupName)) {
foundInGroupName = true;
}
}
}
JSONArray subjects = (JSONArray) rbx.get("subjects");
if (subjects != null) {
for (Object o1 : subjects) {
JSONObject subj = (JSONObject) o1;
if (subj.get("kind").equals("group") && subj.get("name").equals(localGroupName)) {
foundInSubjects = true;
}
}
}
}
}
if (foundInGroupName || foundInSubjects) {
logger.warn(localGroupName + " already in policy " + localPolicyName + " on project " + localProjectName);
} else {
if (foundRoleBinding != null) {
JSONArray groupNames = (JSONArray) foundRoleBinding.get("groupNames");
if (groupNames == null) {
groupNames = new JSONArray();
foundRoleBinding.put("groupNames", groupNames);
}
groupNames.add(localGroupName);
JSONArray subjects = (JSONArray) foundRoleBinding.get("subjects");
if (subjects == null) {
subjects = new JSONArray();
foundRoleBinding.put("subjects", subjects);
}
JSONObject subject = new JSONObject();
subject.put("kind", "Group");
subject.put("name", localGroupName);
subjects.add(subject);
foundRoleBinding.put("kind", "RoleBinding");
foundRoleBinding.put("apiVersion", "v1");
if (logger.isDebugEnabled()) {
logger.debug("new policy : '" + foundRoleBinding + "'");
}
String saveURI = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/rolebindings/").append(localPolicyName).toString();
String jsonResp = os.callWSPut(token, con, saveURI, foundRoleBinding.toJSONString());
Gson gson = new Gson();
Response resp = gson.fromJson(jsonResp, Response.class);
if (!resp.getKind().equals("RoleBinding")) {
throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + jsonResp);
} else {
this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
}
} else {
foundRoleBinding = new JSONObject();
foundRoleBinding.put("kind", "RoleBinding");
foundRoleBinding.put("apiVersion", "v1");
JSONObject metadata = new JSONObject();
metadata.put("name", localPolicyName);
metadata.put("namespace", localProjectName);
foundRoleBinding.put("metadata", metadata);
JSONArray groupNames = new JSONArray();
foundRoleBinding.put("groupNames", groupNames);
groupNames.add(localGroupName);
JSONArray subjects = new JSONArray();
foundRoleBinding.put("subjects", subjects);
JSONObject subject = new JSONObject();
subject.put("kind", "Group");
subject.put("name", localGroupName);
subjects.add(subject);
JSONObject roleRef = new JSONObject();
roleRef.put("name", localPolicyName);
foundRoleBinding.put("roleRef", roleRef);
String saveURI = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/rolebindings").toString();
String jsonResp = os.callWSPost(token, con, saveURI, foundRoleBinding.toJSONString());
Gson gson = new Gson();
if (logger.isDebugEnabled()) {
logger.debug("response json - " + jsonResp);
}
Response resp = gson.fromJson(jsonResp, Response.class);
if (!resp.getKind().equals("RoleBinding")) {
throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + resp.getStatus());
} else {
this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
}
}
}
}
Also used :
Response(com.tremolosecurity.unison.openshiftv3.model.Response)
JSONObject(org.json.simple.JSONObject)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
JSONArray(org.json.simple.JSONArray)
Gson(com.google.gson.Gson)
JSONParser(org.json.simple.parser.JSONParser)
JSONObject(org.json.simple.JSONObject)
Example 5 with Response
use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.
the class K8sInjectImpersonation method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
Iterator<String> it = request.getHeaderNames();
List<String> toRemove = new ArrayList<String>();
while (it.hasNext()) {
String headerName = it.next();
if (headerName.toLowerCase().startsWith("impersonate-") || headerName.equalsIgnoreCase("Authorization")) {
toRemove.add(headerName);
}
}
for (String headerToRemove : toRemove) {
request.removeHeader(headerToRemove);
}
request.removeHeader("Authorization");
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
request.addHeader(new Attribute("Impersonate-User", userData.getAttribs().get(this.userNameAttribute).getValues().get(0)));
Attribute groups = new Attribute("Impersonate-Group");
groups.getValues().add("system:authenticated");
Attribute fromUser = userData.getAttribs().get(this.groupAttribute);
if (fromUser != null) {
groups.getValues().addAll(fromUser.getValues());
}
if (groups.getValues().size() > 0) {
request.addHeader(groups);
}
OpenShiftTarget target = (OpenShiftTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.targetName).getProvider();
request.addHeader(new Attribute("Authorization", new StringBuilder().append("Bearer ").append(target.getAuthToken()).toString()));
HashMap<String, String> uriParams = (HashMap<String, String>) request.getAttribute("TREMOLO_URI_PARAMS");
uriParams.put("k8s_url", target.getUrl());
chain.nextFilter(request, response, chain);
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
OpenShiftTarget(com.tremolosecurity.unison.openshiftv3.OpenShiftTarget)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Aggregations
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)17
HttpCon (com.tremolosecurity.provisioning.util.HttpCon)14
OpenShiftTarget (com.tremolosecurity.unison.openshiftv3.OpenShiftTarget)14
JSONObject (org.json.simple.JSONObject)12
JSONParser (org.json.simple.parser.JSONParser)9
IOException (java.io.IOException)8
ParseException (org.json.simple.parser.ParseException)8
Gson (com.google.gson.Gson)7
Workflow (com.tremolosecurity.provisioning.core.Workflow)7
Response (com.tremolosecurity.unison.openshiftv3.model.Response)7
ClientProtocolException (org.apache.http.client.ClientProtocolException)7
JoseException (org.jose4j.lang.JoseException)6
UnsupportedEncodingException (java.io.UnsupportedEncodingException)5
KeyManagementException (java.security.KeyManagementException)5
KeyStoreException (java.security.KeyStoreException)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5
UnrecoverableKeyException (java.security.UnrecoverableKeyException)5
HashMap (java.util.HashMap)5
HttpResponse (org.apache.http.HttpResponse)5
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)5
