Example 1 with Role
use of com.tremolosecurity.unison.openstack.model.Role in project OpenUnison by TremoloSecurity.
the class KeystoneProvisioningTarget method syncUser.
@Override
public void syncUser(User user, boolean addOnly, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
int approvalID = 0;
if (request.containsKey("APPROVAL_ID")) {
approvalID = (Integer) request.get("APPROVAL_ID");
}
Workflow workflow = (Workflow) request.get("WORKFLOW");
HttpCon con = null;
Gson gson = new Gson();
try {
con = this.createClient();
KSToken token = this.getToken(con);
UserAndID fromKS = this.lookupUser(user.getUserID(), attributes, request, token, con);
if (fromKS == null) {
this.createUser(user, attributes, request);
} else {
// check attributes
HashMap<String, String> attrsUpdate = new HashMap<String, String>();
KSUser toPatch = new KSUser();
if (!rolesOnly) {
if (attributes.contains("email")) {
String fromKSVal = null;
String newVal = null;
if (fromKS.getUser().getAttribs().get("email") != null) {
fromKSVal = fromKS.getUser().getAttribs().get("email").getValues().get(0);
}
if (user.getAttribs().get("email") != null) {
newVal = user.getAttribs().get("email").getValues().get(0);
}
if (newVal != null && (fromKSVal == null || !fromKSVal.equalsIgnoreCase(newVal))) {
toPatch.setEmail(newVal);
attrsUpdate.put("email", newVal);
} else if (!addOnly && newVal == null && fromKSVal != null) {
toPatch.setEmail("");
attrsUpdate.put("email", "");
}
}
if (attributes.contains("enabled")) {
String fromKSVal = null;
String newVal = null;
if (fromKS.getUser().getAttribs().get("enabled") != null) {
fromKSVal = fromKS.getUser().getAttribs().get("enabled").getValues().get(0);
}
if (user.getAttribs().get("enabled") != null) {
newVal = user.getAttribs().get("enabled").getValues().get(0);
}
if (newVal != null && (fromKSVal == null || !fromKSVal.equalsIgnoreCase(newVal))) {
toPatch.setName(newVal);
attrsUpdate.put("enabled", newVal);
} else if (!addOnly && newVal == null && fromKSVal != null) {
toPatch.setEnabled(false);
attrsUpdate.put("enabled", "");
}
}
if (attributes.contains("description")) {
String fromKSVal = null;
String newVal = null;
if (fromKS.getUser().getAttribs().get("description") != null) {
fromKSVal = fromKS.getUser().getAttribs().get("description").getValues().get(0);
}
if (user.getAttribs().get("description") != null) {
newVal = user.getAttribs().get("description").getValues().get(0);
}
if (newVal != null && (fromKSVal == null || !fromKSVal.equalsIgnoreCase(newVal))) {
toPatch.setDescription(newVal);
attrsUpdate.put("description", newVal);
} else if (!addOnly && newVal == null && fromKSVal != null) {
toPatch.setDescription("");
attrsUpdate.put("description", "");
}
}
if (!attrsUpdate.isEmpty()) {
UserHolder holder = new UserHolder();
holder.setUser(toPatch);
String json = gson.toJson(holder);
StringBuffer b = new StringBuffer();
b.append(this.url).append("/users/").append(fromKS.getId());
json = this.callWSPotch(token.getAuthToken(), con, b.toString(), json);
for (String attr : attrsUpdate.keySet()) {
String val = attrsUpdate.get(attr);
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Replace, approvalID, workflow, attr, val);
}
}
for (String group : user.getGroups()) {
if (!fromKS.getUser().getGroups().contains(group)) {
String groupID = this.getGroupID(token.getAuthToken(), con, group);
StringBuffer b = new StringBuffer();
b.append(this.url).append("/groups/").append(groupID).append("/users/").append(fromKS.getId());
if (this.callWSPutNoData(token.getAuthToken(), con, b.toString())) {
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "group", group);
} else {
throw new ProvisioningException("Could not add group " + group);
}
}
}
if (!addOnly) {
for (String group : fromKS.getUser().getGroups()) {
if (!user.getGroups().contains(group)) {
String groupID = this.getGroupID(token.getAuthToken(), con, group);
StringBuffer b = new StringBuffer();
b.append(this.url).append("/groups/").append(groupID).append("/users/").append(fromKS.getId());
this.callWSDelete(token.getAuthToken(), con, b.toString());
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Delete, approvalID, workflow, "group", group);
}
}
}
}
if (attributes.contains("roles")) {
HashSet<Role> currentRoles = new HashSet<Role>();
if (fromKS.getUser().getAttribs().get("roles") != null) {
Attribute attr = fromKS.getUser().getAttribs().get("roles");
for (String jsonRole : attr.getValues()) {
currentRoles.add(gson.fromJson(jsonRole, Role.class));
}
}
if (user.getAttribs().containsKey("roles")) {
StringBuffer b = new StringBuffer();
Attribute attr = user.getAttribs().get("roles");
for (String jsonRole : attr.getValues()) {
Role role = gson.fromJson(jsonRole, Role.class);
if (!currentRoles.contains(role)) {
if (role.getScope().equalsIgnoreCase("project")) {
String projectid = this.getProjectID(token.getAuthToken(), con, role.getProject());
if (projectid == null) {
throw new ProvisioningException("Project " + role.getDomain() + " does not exist");
}
String roleid = this.getRoleID(token.getAuthToken(), con, role.getName());
if (roleid == null) {
throw new ProvisioningException("Role " + role.getName() + " does not exist");
}
b.setLength(0);
b.append(this.url).append("/projects/").append(projectid).append("/users/").append(fromKS.getId()).append("/roles/").append(roleid);
if (this.callWSPutNoData(token.getAuthToken(), con, b.toString())) {
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "role", jsonRole);
} else {
throw new ProvisioningException("Could not add role " + jsonRole);
}
} else {
String domainid = this.getDomainID(token.getAuthToken(), con, role.getDomain());
if (domainid == null) {
throw new ProvisioningException("Domain " + role.getDomain() + " does not exist");
}
String roleid = this.getRoleID(token.getAuthToken(), con, role.getName());
if (roleid == null) {
throw new ProvisioningException("Role " + role.getName() + " does not exist");
}
b.setLength(0);
b.append(this.url).append("/domains/").append(domainid).append("/users/").append(fromKS.getId()).append("/roles/").append(roleid);
if (this.callWSPutNoData(token.getAuthToken(), con, b.toString())) {
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "role", jsonRole);
} else {
throw new ProvisioningException("Could not add role " + jsonRole);
}
}
}
}
}
}
if (!addOnly) {
if (attributes.contains("roles")) {
HashSet<Role> currentRoles = new HashSet<Role>();
if (user.getAttribs().get("roles") != null) {
Attribute attr = user.getAttribs().get("roles");
for (String jsonRole : attr.getValues()) {
currentRoles.add(gson.fromJson(jsonRole, Role.class));
}
}
if (fromKS.getUser().getAttribs().containsKey("roles")) {
StringBuffer b = new StringBuffer();
Attribute attr = fromKS.getUser().getAttribs().get("roles");
for (String jsonRole : attr.getValues()) {
Role role = gson.fromJson(jsonRole, Role.class);
if (!currentRoles.contains(role)) {
if (role.getScope().equalsIgnoreCase("project")) {
String projectid = this.getProjectID(token.getAuthToken(), con, role.getProject());
if (projectid == null) {
throw new ProvisioningException("Project " + role.getDomain() + " does not exist");
}
String roleid = this.getRoleID(token.getAuthToken(), con, role.getName());
if (roleid == null) {
throw new ProvisioningException("Role " + role.getName() + " does not exist");
}
b.setLength(0);
b.append(this.url).append("/projects/").append(projectid).append("/users/").append(fromKS.getId()).append("/roles/").append(roleid);
this.callWSDelete(token.getAuthToken(), con, b.toString());
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Delete, approvalID, workflow, "role", jsonRole);
} else {
String domainid = this.getDomainID(token.getAuthToken(), con, role.getDomain());
if (domainid == null) {
throw new ProvisioningException("Domain " + role.getDomain() + " does not exist");
}
String roleid = this.getRoleID(token.getAuthToken(), con, role.getName());
if (roleid == null) {
throw new ProvisioningException("Role " + role.getName() + " does not exist");
}
b.setLength(0);
b.append(this.url).append("/domains/").append(domainid).append("/users/").append(fromKS.getId()).append("/roles/").append(roleid);
this.callWSDelete(token.getAuthToken(), con, b.toString());
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Delete, approvalID, workflow, "role", jsonRole);
}
}
}
}
}
}
}
} catch (Exception e) {
throw new ProvisioningException("Could not work with keystone", e);
} finally {
if (con != null) {
con.getBcm().shutdown();
}
}
}
Also used :
UserAndID(com.tremolosecurity.unison.openstack.model.UserAndID)
HashMap(java.util.HashMap)
Attribute(com.tremolosecurity.saml.Attribute)
KSUser(com.tremolosecurity.unison.openstack.model.KSUser)
Workflow(com.tremolosecurity.provisioning.core.Workflow)
Gson(com.google.gson.Gson)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
ClientProtocolException(org.apache.http.client.ClientProtocolException)
IOException(java.io.IOException)
KSRole(com.tremolosecurity.unison.openstack.model.KSRole)
Role(com.tremolosecurity.unison.openstack.model.Role)
HttpCon(com.tremolosecurity.provisioning.util.HttpCon)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
KSToken(com.tremolosecurity.unison.openstack.util.KSToken)
UserHolder(com.tremolosecurity.unison.openstack.model.UserHolder)
HashSet(java.util.HashSet)
Example 2 with Role
use of com.tremolosecurity.unison.openstack.model.Role in project OpenUnison by TremoloSecurity.
the class KeystoneProvisioningTarget method lookupUser.
public UserAndID lookupUser(String userID, Set<String> attributes, Map<String, Object> request, KSToken token, HttpCon con) throws Exception {
KSUser fromKS = null;
List<NameValuePair> qparams = new ArrayList<NameValuePair>();
qparams.add(new BasicNameValuePair("domain_id", this.usersDomain));
qparams.add(new BasicNameValuePair("name", userID));
StringBuffer b = new StringBuffer();
b.append(this.url).append("/users?").append(URLEncodedUtils.format(qparams, "UTF-8"));
String fullURL = b.toString();
String json = this.callWS(token.getAuthToken(), con, fullURL);
Gson gson = new Gson();
UserLookupResponse resp = gson.fromJson(json, UserLookupResponse.class);
if (resp.getUsers().isEmpty()) {
return null;
} else {
fromKS = resp.getUsers().get(0);
User user = new User(fromKS.getName());
if (attributes.contains("name")) {
user.getAttribs().put("name", new Attribute("name", fromKS.getName()));
}
if (attributes.contains("id")) {
user.getAttribs().put("id", new Attribute("id", fromKS.getId()));
}
if (attributes.contains("email") && fromKS.getEmail() != null) {
user.getAttribs().put("email", new Attribute("email", fromKS.getEmail()));
}
if (attributes.contains("description") && fromKS.getDescription() != null) {
user.getAttribs().put("description", new Attribute("description", fromKS.getEmail()));
}
if (attributes.contains("enabled")) {
user.getAttribs().put("enabled", new Attribute("enabled", Boolean.toString(fromKS.getEnabled())));
}
if (!rolesOnly) {
b.setLength(0);
b.append(this.url).append("/users/").append(fromKS.getId()).append("/groups");
json = this.callWS(token.getAuthToken(), con, b.toString());
GroupLookupResponse gresp = gson.fromJson(json, GroupLookupResponse.class);
for (KSGroup group : gresp.getGroups()) {
user.getGroups().add(group.getName());
}
}
if (attributes.contains("roles")) {
b.setLength(0);
b.append(this.url).append("/role_assignments?user.id=").append(fromKS.getId()).append("&include_names=true");
json = this.callWS(token.getAuthToken(), con, b.toString());
RoleAssignmentResponse rar = gson.fromJson(json, RoleAssignmentResponse.class);
Attribute attr = new Attribute("roles");
for (KSRoleAssignment role : rar.getRole_assignments()) {
if (role.getScope().getProject() != null) {
attr.getValues().add(gson.toJson(new Role(role.getRole().getName(), "project", role.getScope().getProject().getDomain().getName(), role.getScope().getProject().getName())));
} else {
attr.getValues().add(gson.toJson(new Role(role.getRole().getName(), "domain", role.getScope().getDomain().getName())));
}
}
if (!attr.getValues().isEmpty()) {
user.getAttribs().put("roles", attr);
}
}
UserAndID userAndId = new UserAndID();
userAndId.setUser(user);
userAndId.setId(fromKS.getId());
return userAndId;
}
}
Also used :
NameValuePair(org.apache.http.NameValuePair)
BasicNameValuePair(org.apache.http.message.BasicNameValuePair)
UserAndID(com.tremolosecurity.unison.openstack.model.UserAndID)
User(com.tremolosecurity.provisioning.core.User)
KSUser(com.tremolosecurity.unison.openstack.model.KSUser)
KSGroup(com.tremolosecurity.unison.openstack.model.KSGroup)
Attribute(com.tremolosecurity.saml.Attribute)
GroupLookupResponse(com.tremolosecurity.unison.openstack.model.GroupLookupResponse)
KSUser(com.tremolosecurity.unison.openstack.model.KSUser)
ArrayList(java.util.ArrayList)
KSRoleAssignment(com.tremolosecurity.unison.openstack.model.KSRoleAssignment)
Gson(com.google.gson.Gson)
RoleAssignmentResponse(com.tremolosecurity.unison.openstack.model.RoleAssignmentResponse)
KSRole(com.tremolosecurity.unison.openstack.model.KSRole)
Role(com.tremolosecurity.unison.openstack.model.Role)
BasicNameValuePair(org.apache.http.message.BasicNameValuePair)
UserLookupResponse(com.tremolosecurity.unison.openstack.model.UserLookupResponse)
Example 3 with Role
use of com.tremolosecurity.unison.openstack.model.Role in project OpenUnison by TremoloSecurity.
the class AddRoleTask method doTask.
@Override
public boolean doTask(User user, Map<String, Object> request) throws ProvisioningException {
Role r = new Role();
if (name != null) {
r.setName(task.renderTemplate(name, request));
} else {
r.setName((String) request.get("role_name"));
}
if (scope != null) {
r.setScope(task.renderTemplate(scope, request));
} else {
r.setScope("project");
}
if (domain != null) {
r.setDomain(task.renderTemplate(domain, request));
} else {
if (r.getScope().equalsIgnoreCase("project")) {
r.setDomain((String) request.get("project_domain_name"));
} else {
r.setDomain((String) request.get("domain_name"));
}
}
if (project != null) {
r.setProject(task.renderTemplate(project, request));
} else {
r.setProject((String) request.get("project_name"));
}
Attribute attr = user.getAttribs().get("roles");
if (attr == null) {
attr = new Attribute("roles");
user.getAttribs().put("roles", attr);
}
Gson gson = new Gson();
HashSet<Role> roles = new HashSet<Role>();
for (String roleJSON : attr.getValues()) {
roles.add(gson.fromJson(roleJSON, Role.class));
}
attr.getValues().clear();
if (remove) {
roles.remove(r);
} else {
roles.add(r);
}
for (Role rx : roles) {
attr.getValues().add(gson.toJson(rx));
}
return true;
}Example 4 with Role
use of com.tremolosecurity.unison.openstack.model.Role in project OpenUnison by TremoloSecurity.
the class KeystoneProvisioningTarget method createUser.
@Override
public void createUser(User user, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
if (rolesOnly) {
throw new ProvisioningException("Unsupported");
}
int approvalID = 0;
if (request.containsKey("APPROVAL_ID")) {
approvalID = (Integer) request.get("APPROVAL_ID");
}
Workflow workflow = (Workflow) request.get("WORKFLOW");
KSUser newUser = new KSUser();
newUser.setDomain_id(this.usersDomain);
newUser.setName(user.getUserID());
newUser.setEnabled(true);
if (attributes.contains("email") && user.getAttribs().containsKey("email")) {
newUser.setEmail(user.getAttribs().get("email").getValues().get(0));
}
if (attributes.contains("description") && user.getAttribs().containsKey("description")) {
newUser.setEmail(user.getAttribs().get("description").getValues().get(0));
}
HttpCon con = null;
KSUser fromKS = null;
try {
con = this.createClient();
KSToken token = this.getToken(con);
Gson gson = new Gson();
UserHolder userHolder = new UserHolder();
userHolder.setUser(newUser);
String json = gson.toJson(userHolder);
StringBuffer b = new StringBuffer();
b.append(this.url).append("/users");
json = this.callWSPost(token.getAuthToken(), con, b.toString(), json);
if (json == null) {
throw new Exception("Could not create user");
}
UserHolder createdUser = gson.fromJson(json, UserHolder.class);
if (createdUser.getUser() == null) {
throw new ProvisioningException("Could not create user :" + json);
}
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), true, ActionType.Add, approvalID, workflow, "name", user.getUserID());
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "name", user.getUserID());
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "domain_id", this.usersDomain);
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "enabled", "true");
if (attributes.contains("email")) {
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "email", user.getAttribs().get("email").getValues().get(0));
}
if (attributes.contains("description")) {
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "description", user.getAttribs().get("description").getValues().get(0));
}
for (String group : user.getGroups()) {
String groupID = this.getGroupID(token.getAuthToken(), con, group);
b.setLength(0);
b.append(this.url).append("/groups/").append(groupID).append("/users/").append(createdUser.getUser().getId());
if (this.callWSPutNoData(token.getAuthToken(), con, b.toString())) {
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "group", group);
} else {
throw new ProvisioningException("Could not add group " + group);
}
}
if (attributes.contains("roles")) {
Attribute roles = user.getAttribs().get("roles");
for (String roleJSON : roles.getValues()) {
Role role = gson.fromJson(roleJSON, Role.class);
if (role.getScope().equalsIgnoreCase("project")) {
String projectid = this.getProjectID(token.getAuthToken(), con, role.getProject());
if (projectid == null) {
throw new ProvisioningException("Project " + role.getDomain() + " does not exist");
}
String roleid = this.getRoleID(token.getAuthToken(), con, role.getName());
if (roleid == null) {
throw new ProvisioningException("Role " + role.getName() + " does not exist");
}
b.setLength(0);
b.append(this.url).append("/projects/").append(projectid).append("/users/").append(createdUser.getUser().getId()).append("/roles/").append(roleid);
if (this.callWSPutNoData(token.getAuthToken(), con, b.toString())) {
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "role", roleJSON);
} else {
throw new ProvisioningException("Could not add role " + roleJSON);
}
} else {
String domainid = this.getDomainID(token.getAuthToken(), con, role.getDomain());
if (domainid == null) {
throw new ProvisioningException("Domain " + role.getDomain() + " does not exist");
}
String roleid = this.getRoleID(token.getAuthToken(), con, role.getName());
if (roleid == null) {
throw new ProvisioningException("Role " + role.getName() + " does not exist");
}
b.setLength(0);
b.append(this.url).append("/domains/").append(domainid).append("/users/").append(createdUser.getUser().getId()).append("/roles/").append(roleid);
if (this.callWSPutNoData(token.getAuthToken(), con, b.toString())) {
this.cfgMgr.getProvisioningEngine().logAction(user.getUserID(), false, ActionType.Add, approvalID, workflow, "role", roleJSON);
} else {
throw new ProvisioningException("Could not add role " + roleJSON);
}
}
}
}
} catch (Exception e) {
throw new ProvisioningException("Could not work with keystone", e);
} finally {
if (con != null) {
con.getBcm().shutdown();
}
}
}
Also used :
Attribute(com.tremolosecurity.saml.Attribute)
KSUser(com.tremolosecurity.unison.openstack.model.KSUser)
Workflow(com.tremolosecurity.provisioning.core.Workflow)
Gson(com.google.gson.Gson)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
ClientProtocolException(org.apache.http.client.ClientProtocolException)
IOException(java.io.IOException)
KSRole(com.tremolosecurity.unison.openstack.model.KSRole)
Role(com.tremolosecurity.unison.openstack.model.Role)
HttpCon(com.tremolosecurity.provisioning.util.HttpCon)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
KSToken(com.tremolosecurity.unison.openstack.util.KSToken)
UserHolder(com.tremolosecurity.unison.openstack.model.UserHolder)
Aggregations
Gson (com.google.gson.Gson)4
Attribute (com.tremolosecurity.saml.Attribute)4
Role (com.tremolosecurity.unison.openstack.model.Role)4
KSRole (com.tremolosecurity.unison.openstack.model.KSRole)3
KSUser (com.tremolosecurity.unison.openstack.model.KSUser)3
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)2
Workflow (com.tremolosecurity.provisioning.core.Workflow)2
HttpCon (com.tremolosecurity.provisioning.util.HttpCon)2
UserAndID (com.tremolosecurity.unison.openstack.model.UserAndID)2
UserHolder (com.tremolosecurity.unison.openstack.model.UserHolder)2
KSToken (com.tremolosecurity.unison.openstack.util.KSToken)2
IOException (java.io.IOException)2
HashSet (java.util.HashSet)2
ClientProtocolException (org.apache.http.client.ClientProtocolException)2
User (com.tremolosecurity.provisioning.core.User)1
GroupLookupResponse (com.tremolosecurity.unison.openstack.model.GroupLookupResponse)1
KSGroup (com.tremolosecurity.unison.openstack.model.KSGroup)1
KSRoleAssignment (com.tremolosecurity.unison.openstack.model.KSRoleAssignment)1
RoleAssignmentResponse (com.tremolosecurity.unison.openstack.model.RoleAssignmentResponse)1
UserLookupResponse (com.tremolosecurity.unison.openstack.model.UserLookupResponse)1
