Search in sources :

Example 1 with Response

use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.

the class OpenShiftTarget method removeUserFromGroup.

public void removeUserFromGroup(String token, HttpCon con, String userName, String groupName, int approvalID, Workflow workflow) throws Exception {
    Gson gson = new Gson();
    StringBuffer b = new StringBuffer();
    b.append("/apis/user.openshift.io/v1/groups/").append(groupName);
    String json = this.callWS(token, con, b.toString());
    com.tremolosecurity.unison.openshiftv3.model.groups.Group group = gson.fromJson(json, com.tremolosecurity.unison.openshiftv3.model.groups.Group.class);
    if (group.getUsers() == null) {
        group.setUsers(new HashSet<String>());
    }
    if (group.getUsers().contains(userName)) {
        group.getUsers().remove(userName);
        json = gson.toJson(group);
        json = this.callWSPut(token, con, b.toString(), json);
        Response resp = gson.fromJson(json, Response.class);
        if (resp.getKind().equals("Group")) {
            this.cfgMgr.getProvisioningEngine().logAction(name, false, ActionType.Delete, approvalID, workflow, "group", groupName);
        } else {
            throw new Exception("Could not remove group " + groupName + " to " + userName + " - " + resp.getReason());
        }
    }
}
Also used : CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) Response(com.tremolosecurity.unison.openshiftv3.model.Response) HttpResponse(org.apache.http.HttpResponse) Gson(com.google.gson.Gson) KeyStoreException(java.security.KeyStoreException) StreamException(org.cryptacular.StreamException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) KeyManagementException(java.security.KeyManagementException) JoseException(org.jose4j.lang.JoseException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ClientProtocolException(org.apache.http.client.ClientProtocolException) ParseException(org.json.simple.parser.ParseException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) EncodingException(org.cryptacular.EncodingException) IOException(java.io.IOException)

Example 2 with Response

use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.

the class OpenShiftTarget method addGroup.

@Override
public void addGroup(String name, Map<String, String> additionalAttributes, User user, Map<String, Object> request) throws ProvisioningException {
    HttpCon con = null;
    int approvalID = 0;
    if (request.containsKey("APPROVAL_ID")) {
        approvalID = (Integer) request.get("APPROVAL_ID");
    }
    Workflow workflow = (Workflow) request.get("WORKFLOW");
    try {
        String token = this.getAuthToken();
        con = this.createClient();
        Gson gson = new Gson();
        // first lets see if the group exists
        StringBuilder sb = new StringBuilder();
        sb.append("/apis/user.openshift.io/v1/groups/").append(name);
        com.tremolosecurity.unison.openshiftv3.model.groups.Group group = new com.tremolosecurity.unison.openshiftv3.model.groups.Group();
        group.setKind("Group");
        group.setApiVersion("user.openshift.io/v1");
        group.setMetadata(new HashMap<String, Object>());
        group.getMetadata().put("name", name);
        group.getMetadata().put("creationTimestamp", null);
        group.setUsers(null);
        String jsonInput = gson.toJson(group);
        if (!this.isObjectExists(token, con, "/apis/user.openshift.io/v1/groups", jsonInput)) {
            String json = this.callWSPost(token, con, "/apis/user.openshift.io/v1/groups", jsonInput);
            Response resp = gson.fromJson(json, Response.class);
            if (resp.getKind().equalsIgnoreCase("Group")) {
                this.cfgMgr.getProvisioningEngine().logAction(name, true, ActionType.Add, approvalID, workflow, "group-object", name);
            } else {
                throw new ProvisioningException("Unknown response : '" + json + "'");
            }
        }
    } catch (Exception e) {
        throw new ProvisioningException("Could not load group", e);
    } finally {
        if (con != null) {
            con.getBcm().close();
        }
    }
}
Also used : UserStoreProviderWithAddGroup(com.tremolosecurity.provisioning.core.UserStoreProviderWithAddGroup) Workflow(com.tremolosecurity.provisioning.core.Workflow) Gson(com.google.gson.Gson) KeyStoreException(java.security.KeyStoreException) StreamException(org.cryptacular.StreamException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) KeyManagementException(java.security.KeyManagementException) JoseException(org.jose4j.lang.JoseException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ClientProtocolException(org.apache.http.client.ClientProtocolException) ParseException(org.json.simple.parser.ParseException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) EncodingException(org.cryptacular.EncodingException) IOException(java.io.IOException) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) Response(com.tremolosecurity.unison.openshiftv3.model.Response) HttpResponse(org.apache.http.HttpResponse) HttpCon(com.tremolosecurity.provisioning.util.HttpCon) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONObject(org.json.simple.JSONObject)

Example 3 with Response

use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.

the class AddGroupToRole method addToRBACRole.

private void addToRBACRole(OpenShiftTarget os, String token, HttpCon con, String localProjectName, String localPolicyName, String localGroupName, int approvalID) throws Exception {
    String roleBindingUri = new StringBuilder().append(this.openShiftVersion == 3.9 ? "/apis/rbac.authorization.k8s.io/v1/namespaces/" : "/apis/rbac.authorization.k8s.io/v1beta1/namespaces/").append(localProjectName).append("/rolebindings/").append(localPolicyName).toString();
    String json = os.callWS(token, con, roleBindingUri);
    if (logger.isDebugEnabled()) {
        logger.debug("Policy binding : '" + json + "'");
    }
    JSONParser parser = new JSONParser();
    JSONObject rb = (JSONObject) parser.parse(json);
    if (rb.get("status") != null && rb.get("status").equals("Failure")) {
        throw new ProvisioningException("Role binding : '" + localPolicyName + "' does not exist");
    }
    JSONArray subjects = (JSONArray) rb.get("subjects");
    if (subjects != null) {
        for (Object o : subjects) {
            JSONObject jo = (JSONObject) o;
            if (jo.get("kind").equals("Group") && jo.get("name").equals(localGroupName)) {
                logger.warn(localGroupName + " already in policy " + localPolicyName + " on project " + localProjectName);
                return;
            }
        }
    } else {
        subjects = new JSONArray();
        rb.put("subjects", subjects);
    }
    JSONObject binding = new JSONObject();
    binding.put("kind", "Group");
    binding.put("apiGroup", "rbac.authorization.k8s.io");
    binding.put("name", localGroupName);
    subjects.add(binding);
    String jsonResp = os.callWSPut(token, con, roleBindingUri, rb.toJSONString());
    Gson gson = new Gson();
    Response resp = gson.fromJson(jsonResp, Response.class);
    if (resp.getStatus() != null) {
        throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + jsonResp);
    } else {
        this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
    }
}
Also used : Response(com.tremolosecurity.unison.openshiftv3.model.Response) JSONObject(org.json.simple.JSONObject) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONArray(org.json.simple.JSONArray) Gson(com.google.gson.Gson) JSONParser(org.json.simple.parser.JSONParser) JSONObject(org.json.simple.JSONObject)

Example 4 with Response

use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.

the class AddGroupToRole method addTo36Role.

private void addTo36Role(OpenShiftTarget os, String token, HttpCon con, String localProjectName, String localPolicyName, String localGroupName, int approvalID) throws Exception {
    String roleBindingUri = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/policybindings").toString();
    String json = os.callWS(token, con, roleBindingUri);
    if (logger.isDebugEnabled()) {
        logger.debug("All policy bindings : '" + json + "'");
    }
    JSONParser parser = new JSONParser();
    JSONObject pbl = (JSONObject) parser.parse(json);
    JSONArray items = (JSONArray) pbl.get("items");
    JSONArray rb = (JSONArray) ((JSONObject) items.get(0)).get("roleBindings");
    JSONObject foundRoleBinding = null;
    boolean foundInGroupName = false;
    boolean foundInSubjects = false;
    boolean foundPolicy = false;
    for (Object o : rb) {
        JSONObject binding = (JSONObject) o;
        if (binding.get("name").equals(localPolicyName)) {
            foundPolicy = true;
            JSONObject rbx = (JSONObject) binding.get("roleBinding");
            foundRoleBinding = rbx;
            JSONArray groupNames = (JSONArray) rbx.get("groupNames");
            if (groupNames != null) {
                for (Object o1 : groupNames) {
                    String groupName = (String) o1;
                    if (groupName.equalsIgnoreCase(localGroupName)) {
                        foundInGroupName = true;
                    }
                }
            }
            JSONArray subjects = (JSONArray) rbx.get("subjects");
            if (subjects != null) {
                for (Object o1 : subjects) {
                    JSONObject subj = (JSONObject) o1;
                    if (subj.get("kind").equals("group") && subj.get("name").equals(localGroupName)) {
                        foundInSubjects = true;
                    }
                }
            }
        }
    }
    if (foundInGroupName || foundInSubjects) {
        logger.warn(localGroupName + " already in policy " + localPolicyName + " on project " + localProjectName);
    } else {
        if (foundRoleBinding != null) {
            JSONArray groupNames = (JSONArray) foundRoleBinding.get("groupNames");
            if (groupNames == null) {
                groupNames = new JSONArray();
                foundRoleBinding.put("groupNames", groupNames);
            }
            groupNames.add(localGroupName);
            JSONArray subjects = (JSONArray) foundRoleBinding.get("subjects");
            if (subjects == null) {
                subjects = new JSONArray();
                foundRoleBinding.put("subjects", subjects);
            }
            JSONObject subject = new JSONObject();
            subject.put("kind", "Group");
            subject.put("name", localGroupName);
            subjects.add(subject);
            foundRoleBinding.put("kind", "RoleBinding");
            foundRoleBinding.put("apiVersion", "v1");
            if (logger.isDebugEnabled()) {
                logger.debug("new policy : '" + foundRoleBinding + "'");
            }
            String saveURI = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/rolebindings/").append(localPolicyName).toString();
            String jsonResp = os.callWSPut(token, con, saveURI, foundRoleBinding.toJSONString());
            Gson gson = new Gson();
            Response resp = gson.fromJson(jsonResp, Response.class);
            if (!resp.getKind().equals("RoleBinding")) {
                throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + jsonResp);
            } else {
                this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
            }
        } else {
            foundRoleBinding = new JSONObject();
            foundRoleBinding.put("kind", "RoleBinding");
            foundRoleBinding.put("apiVersion", "v1");
            JSONObject metadata = new JSONObject();
            metadata.put("name", localPolicyName);
            metadata.put("namespace", localProjectName);
            foundRoleBinding.put("metadata", metadata);
            JSONArray groupNames = new JSONArray();
            foundRoleBinding.put("groupNames", groupNames);
            groupNames.add(localGroupName);
            JSONArray subjects = new JSONArray();
            foundRoleBinding.put("subjects", subjects);
            JSONObject subject = new JSONObject();
            subject.put("kind", "Group");
            subject.put("name", localGroupName);
            subjects.add(subject);
            JSONObject roleRef = new JSONObject();
            roleRef.put("name", localPolicyName);
            foundRoleBinding.put("roleRef", roleRef);
            String saveURI = new StringBuilder().append("/oapi/v1/namespaces/").append(localProjectName).append("/rolebindings").toString();
            String jsonResp = os.callWSPost(token, con, saveURI, foundRoleBinding.toJSONString());
            Gson gson = new Gson();
            if (logger.isDebugEnabled()) {
                logger.debug("response json  - " + jsonResp);
            }
            Response resp = gson.fromJson(jsonResp, Response.class);
            if (!resp.getKind().equals("RoleBinding")) {
                throw new ProvisioningException("Could not add '" + localGroupName + "' to '" + localPolicyName + "' in project '" + localProjectName + "' - " + resp.getStatus());
            } else {
                this.task.getConfigManager().getProvisioningEngine().logAction(this.targetName, true, ActionType.Add, approvalID, this.task.getWorkflow(), "openshift-project.role.group", new StringBuilder().append(localProjectName).append('.').append(localPolicyName).append('.').append(localGroupName).toString());
            }
        }
    }
}
Also used : Response(com.tremolosecurity.unison.openshiftv3.model.Response) JSONObject(org.json.simple.JSONObject) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONArray(org.json.simple.JSONArray) Gson(com.google.gson.Gson) JSONParser(org.json.simple.parser.JSONParser) JSONObject(org.json.simple.JSONObject)

Example 5 with Response

use of com.tremolosecurity.unison.openshiftv3.model.Response in project OpenUnison by TremoloSecurity.

the class K8sInjectImpersonation method doFilter.

@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
    Iterator<String> it = request.getHeaderNames();
    List<String> toRemove = new ArrayList<String>();
    while (it.hasNext()) {
        String headerName = it.next();
        if (headerName.toLowerCase().startsWith("impersonate-") || headerName.equalsIgnoreCase("Authorization")) {
            toRemove.add(headerName);
        }
    }
    for (String headerToRemove : toRemove) {
        request.removeHeader(headerToRemove);
    }
    request.removeHeader("Authorization");
    AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    request.addHeader(new Attribute("Impersonate-User", userData.getAttribs().get(this.userNameAttribute).getValues().get(0)));
    Attribute groups = new Attribute("Impersonate-Group");
    groups.getValues().add("system:authenticated");
    Attribute fromUser = userData.getAttribs().get(this.groupAttribute);
    if (fromUser != null) {
        groups.getValues().addAll(fromUser.getValues());
    }
    if (groups.getValues().size() > 0) {
        request.addHeader(groups);
    }
    OpenShiftTarget target = (OpenShiftTarget) GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getTarget(this.targetName).getProvider();
    request.addHeader(new Attribute("Authorization", new StringBuilder().append("Bearer ").append(target.getAuthToken()).toString()));
    HashMap<String, String> uriParams = (HashMap<String, String>) request.getAttribute("TREMOLO_URI_PARAMS");
    uriParams.put("k8s_url", target.getUrl());
    chain.nextFilter(request, response, chain);
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) OpenShiftTarget(com.tremolosecurity.unison.openshiftv3.OpenShiftTarget) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Aggregations

ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)17 HttpCon (com.tremolosecurity.provisioning.util.HttpCon)14 OpenShiftTarget (com.tremolosecurity.unison.openshiftv3.OpenShiftTarget)14 JSONObject (org.json.simple.JSONObject)12 JSONParser (org.json.simple.parser.JSONParser)9 IOException (java.io.IOException)8 ParseException (org.json.simple.parser.ParseException)8 Gson (com.google.gson.Gson)7 Workflow (com.tremolosecurity.provisioning.core.Workflow)7 Response (com.tremolosecurity.unison.openshiftv3.model.Response)7 ClientProtocolException (org.apache.http.client.ClientProtocolException)7 JoseException (org.jose4j.lang.JoseException)6 UnsupportedEncodingException (java.io.UnsupportedEncodingException)5 KeyManagementException (java.security.KeyManagementException)5 KeyStoreException (java.security.KeyStoreException)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5 UnrecoverableKeyException (java.security.UnrecoverableKeyException)5 HashMap (java.util.HashMap)5 HttpResponse (org.apache.http.HttpResponse)5 CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)5