use of org.ovirt.engine.api.extensions.ExtMap in project ovirt-engine by oVirt.
the class NegotiateAuthUtils method cacheNegotiatingProfiles.
private void cacheNegotiatingProfiles(final Collection<AuthenticationProfile> availableProfiles) {
schemes = new HashSet<>();
profiles = new ArrayList<>();
for (AuthenticationProfile profile : availableProfiles) {
ExtMap authnContext = profile.getAuthn().getContext();
if ((authnContext.<Long>get(Authn.ContextKeys.CAPABILITIES).longValue() & caps) != 0) {
profiles.add(profile);
schemes.addAll(authnContext.<Collection<String>>get(Authn.ContextKeys.HTTP_AUTHENTICATION_SCHEME, Collections.<String>emptyList()));
}
}
Collections.sort(profiles, Comparator.comparing(AuthenticationProfile::getNegotiationPriority));
}
use of org.ovirt.engine.api.extensions.ExtMap in project ovirt-engine by oVirt.
the class NegotiateAuthUtils method doAuth.
private AuthResult doAuth(HttpServletRequest req, HttpServletResponse rsp, Deque<AuthenticationProfile> stack) throws IOException, ServletException {
log.debug("Performing external authentication");
AuthResult retVal = new AuthResult(Authn.AuthResult.NEGOTIATION_UNAUTHORIZED);
String token = null;
boolean stop = false;
try {
while (!stop && !stack.isEmpty()) {
AuthenticationProfile profile = stack.peek();
ExtMap output = profile.getAuthn().invoke(new ExtMap().mput(Base.InvokeKeys.COMMAND, Authn.InvokeCommands.AUTHENTICATE_NEGOTIATE).mput(Authn.InvokeKeys.HTTP_SERVLET_REQUEST, req).mput(Authn.InvokeKeys.HTTP_SERVLET_RESPONSE, rsp));
retVal.setStatus(output.<Integer>get(Authn.InvokeKeys.RESULT));
switch(output.<Integer>get(Authn.InvokeKeys.RESULT)) {
case Authn.AuthResult.SUCCESS:
try {
ExtMap authRecord = output.get(Authn.InvokeKeys.AUTH_RECORD);
if (profile.getMapper() != null) {
authRecord = profile.getMapper().invoke(new ExtMap().mput(Base.InvokeKeys.COMMAND, Mapping.InvokeCommands.MAP_AUTH_RECORD).mput(Authn.InvokeKeys.AUTH_RECORD, authRecord), true).get(Authn.InvokeKeys.AUTH_RECORD, authRecord);
}
ExtMap outputMap = profile.getAuthz().invoke(new ExtMap().mput(Base.InvokeKeys.COMMAND, Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD).mput(Authn.InvokeKeys.AUTH_RECORD, authRecord).mput(Authz.InvokeKeys.QUERY_FLAGS, Authz.QueryFlags.RESOLVE_GROUPS | Authz.QueryFlags.RESOLVE_GROUPS_RECURSIVE));
SsoSession ssoSession = SsoUtils.persistAuthInfoInContextWithToken(req, null, profile.getName(), authRecord, outputMap.get(Authz.InvokeKeys.PRINCIPAL_RECORD));
log.info("User {}@{} successfully logged in with scopes : {} ", SsoUtils.getUserId(outputMap.get(Authz.InvokeKeys.PRINCIPAL_RECORD)), profile.getName(), ssoSession.getScope());
token = (String) req.getAttribute(SsoConstants.HTTP_REQ_ATTR_ACCESS_TOKEN);
stack.clear();
} catch (Exception e) {
log.debug("Cannot fetch principal, trying other authn extension.");
stack.pop();
}
break;
case Authn.AuthResult.NEGOTIATION_UNAUTHORIZED:
stack.pop();
break;
case Authn.AuthResult.NEGOTIATION_INCOMPLETE:
stop = true;
break;
default:
log.error("Unexpected authentication result. AuthResult code: {}", output.<Integer>get(Authn.InvokeKeys.RESULT));
stack.pop();
break;
}
}
if (!stack.isEmpty()) {
req.getSession(true).setAttribute(STACK_ATTR, stack);
} else {
req.getSession(true).removeAttribute(STACK_ATTR);
}
} catch (Exception ex) {
log.error("External Authentication Failed: {}", ex.getMessage());
log.debug("External Authentication Failed", ex);
token = null;
}
log.debug("External Authentication result: {}", StringUtils.isNotEmpty(token));
retVal.setToken(token);
return retVal;
}
use of org.ovirt.engine.api.extensions.ExtMap in project ovirt-engine by oVirt.
the class SsoUtils method prepareGroupMembershipsForJson.
/**
* Currently jackson doesn't provide a way how to serialize graphs with cyclic references between nodes, which
* may happen if those cyclic dependencies exists among nested groups which is a user member of. So in order to
* serialize to JSON successfully we do the following:
* 1. If a principal is a direct member of a group, than put into group record key
* {@code Authz.PrincipalRecord.PRINCIPAL}
* 2. Change group memberships to contain only IDs of groups and not full group records by changing list in
* {@code Authz.GroupRecord.GROUPS} from {@code Collection<ExtMap>} to {@code Collection<String>}
* 3. Return all referenced group records as a set
* The whole process needs to be reversed on engine side, see
* {@code org.ovirt.engine.core.aaa.SsoOAuthServiceUtils.processGroupMembershipsFromJson()}
*/
public static Collection<ExtMap> prepareGroupMembershipsForJson(Collection<ExtMap> groupRecords) {
Map<String, ExtMap> resolvedGroups = new HashMap<>();
for (ExtMap origRecord : groupRecords) {
if (!resolvedGroups.containsKey(origRecord.<String>get(Authz.GroupRecord.ID))) {
ExtMap groupRecord = new ExtMap(origRecord);
groupRecord.put(Authz.PrincipalRecord.PRINCIPAL, "");
resolvedGroups.put(groupRecord.get(Authz.GroupRecord.ID), groupRecord);
groupRecord.put(Authz.GroupRecord.GROUPS, processGroupMemberships(groupRecord.get(Authz.GroupRecord.GROUPS, Collections.emptyList()), resolvedGroups));
}
}
return new ArrayList<>(resolvedGroups.values());
}
use of org.ovirt.engine.api.extensions.ExtMap in project ovirt-engine by oVirt.
the class ExtensionsManager method loadImpl.
private synchronized String loadImpl(Properties props, File confFile) {
ExtensionEntry entry = new ExtensionEntry(props, confFile);
if (!entry.enabled) {
return null;
}
ExtensionEntry alreadyLoadedEntry = loadedEntries.get(entry.name);
if (alreadyLoadedEntry != null) {
throw new ConfigurationException(String.format("Could not load the configuration '%1$s' from file %2$s. A configuration with the same name was already loaded from file %3$s", entry.name, entry.getFileName(), alreadyLoadedEntry.getFileName()));
}
try {
entry.extension = loadExtension(props);
entry.extension.getContext().mput(Base.ContextKeys.GLOBAL_CONTEXT, globalContext).mput(TRACE_LOG_CONTEXT_KEY, traceLog).mput(Base.ContextKeys.INTERFACE_VERSION_MIN, 0).mput(Base.ContextKeys.INTERFACE_VERSION_MAX, Base.INTERFACE_VERSION_CURRENT).mput(Base.ContextKeys.LOCALE, Locale.getDefault().toString()).mput(Base.ContextKeys.CONFIGURATION_FILE, entry.file == null ? null : entry.file.getAbsolutePath()).mput(Base.ContextKeys.CONFIGURATION, props).mput(Base.ContextKeys.CONFIGURATION_SENSITIVE_KEYS, splitString(props.getProperty(Base.ConfigKeys.SENSITIVE_KEYS, ""))).mput(Base.ContextKeys.INSTANCE_NAME, entry.name).mput(Base.ContextKeys.PROVIDES, splitString(props.getProperty(Base.ConfigKeys.PROVIDES, "")));
log.info("Loading extension '{}'", entry.name);
ExtMap output = entry.extension.invoke(new ExtMap().mput(Base.InvokeKeys.COMMAND, Base.InvokeCommands.LOAD));
log.info("Extension '{}' loaded", entry.name);
entry.extension.getContext().put(TRACE_LOG_CONTEXT_KEY, LoggerFactory.getLogger(String.format("%1$s.%2$s.%3$s", traceLog.getName(), entry.extension.getContext().get(Base.ContextKeys.EXTENSION_NAME), entry.extension.getContext().get(Base.ContextKeys.INSTANCE_NAME))));
if (output.<Integer>get(Base.InvokeKeys.RESULT) != Base.InvokeResult.SUCCESS) {
throw new RuntimeException(String.format("Invoke of LOAD returned with error code: %1$s", output.<Integer>get(Base.InvokeKeys.RESULT)));
}
} catch (Exception e) {
throw new RuntimeException(String.format("Error loading extension '%1$s': %2$s", entry.name, e.getMessage()), e);
}
loadedEntries.put(entry.name, entry);
dumpConfig(entry.extension);
setChanged();
notifyObservers();
return entry.name;
}
use of org.ovirt.engine.api.extensions.ExtMap in project ovirt-engine by oVirt.
the class AuthenticationUtils method changePassword.
public static void changePassword(SsoContext context, HttpServletRequest request, Credentials credentials) throws AuthenticationException {
ExtensionProfile profile = getExtensionProfile(context, credentials.getProfile());
String user = mapUser(profile, credentials);
log.debug("AuthenticationUtils.changePassword invoking CREDENTIALS_CHANGE on authn");
ExtMap outputMap = profile.authn.invoke(new ExtMap().mput(Base.InvokeKeys.COMMAND, Authn.InvokeCommands.CREDENTIALS_CHANGE).mput(Authn.InvokeKeys.USER, user).mput(Authn.InvokeKeys.CREDENTIALS, credentials.getCredentials()).mput(Authn.InvokeKeys.CREDENTIALS_NEW, credentials.getNewCredentials()));
if (outputMap.<Integer>get(Base.InvokeKeys.RESULT) != Base.InvokeResult.SUCCESS || outputMap.<Integer>get(Authn.InvokeKeys.RESULT) != Authn.AuthResult.SUCCESS) {
SsoUtils.getSsoSession(request).setChangePasswdCredentials(credentials);
log.debug("AuthenticationUtils.changePassword CREDENTIALS_CHANGE on authn failed");
throw new AuthenticationException(AuthnMessageMapper.mapMessageErrorCode(context, request, credentials.getProfile(), outputMap));
}
log.debug("AuthenticationUtils.changePassword CREDENTIALS_CHANGE on authn succeeded");
}
Aggregations