apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-12-16 10:32:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

api: add method to pass on api authenticators to cmd classes

Browse Source 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This commit is contained in:
Rohit Yadav 2014-08-24 20:47:43 +02:00
parent 8e6cb04480
commit 47ccce85a1
6 changed files with 51 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/org/apache/cloudstack/api/auth/APIAuthenticator.java
View File

@ -20,6 +20,7 @@ import org.apache.cloudstack.api.ServerApiException;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import java.util.List;
import java.util.Map; import java.util.Map;
/* /*
@ -36,5 +37,8 @@ public interface APIAuthenticator {
public String authenticate(String command, Map<String, Object[]> params, public String authenticate(String command, Map<String, Object[]> params,
HttpSession session, String remoteAddress, String responseType, HttpSession session, String remoteAddress, String responseType,
StringBuilder auditTrailSb, final HttpServletResponse resp) throws ServerApiException; StringBuilder auditTrailSb, final HttpServletResponse resp) throws ServerApiException;
public APIAuthenticationType getAPIType(); public APIAuthenticationType getAPIType();
public void setAuthenticators(List<PluggableAPIAuthenticator> authenticators);
} }

38
plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
View File

@ -32,6 +32,7 @@ import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.auth.APIAuthenticationType; import org.apache.cloudstack.api.auth.APIAuthenticationType;
import org.apache.cloudstack.api.auth.APIAuthenticator; import org.apache.cloudstack.api.auth.APIAuthenticator;
import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
import org.apache.cloudstack.api.response.LoginCmdResponse; import org.apache.cloudstack.api.response.LoginCmdResponse;
import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.context.CallContext;
import org.apache.cloudstack.saml.SAML2AuthManager; import org.apache.cloudstack.saml.SAML2AuthManager;
@ -49,7 +50,10 @@ import org.opensaml.saml2.core.StatusCode;
import org.opensaml.xml.ConfigurationException; import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.io.MarshallingException;
import org.opensaml.xml.io.UnmarshallingException; import org.opensaml.xml.io.UnmarshallingException;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import javax.inject.Inject; import javax.inject.Inject;
@ -80,7 +84,7 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
ApiServerService _apiServer; ApiServerService _apiServer;
@Inject @Inject
EntityManager _entityMgr; EntityManager _entityMgr;
@Inject
SAML2AuthManager _samlAuthManager; SAML2AuthManager _samlAuthManager;
///////////////////////////////////////////////////// /////////////////////////////////////////////////////
@ -135,9 +139,10 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
public Response processSAMLResponse(String responseMessage) { public Response processSAMLResponse(String responseMessage) {
Response responseObject = null; Response responseObject = null;
try { try {
DefaultBootstrap.bootstrap();
responseObject = SAMLUtils.decodeSAMLResponse(responseMessage); responseObject = SAMLUtils.decodeSAMLResponse(responseMessage);
} catch (ConfigurationException | ParserConfigurationException | SAXException | IOException | UnmarshallingException e) { } catch (ConfigurationException | FactoryConfigurationError | ParserConfigurationException | SAXException | IOException | UnmarshallingException e) {
s_logger.error("SAMLResponse processing error: " + e.getMessage()); s_logger.error("SAMLResponse processing error: " + e.getMessage());
} }
return responseObject; return responseObject;
@ -165,9 +170,20 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
params, responseType)); params, responseType));
} }
Signature sig = processedSAMLResponse.getSignature(); if (_samlAuthManager.getIdpSigningKey() != null) {
//SignatureValidator validator = new SignatureValidator(credential); Signature sig = processedSAMLResponse.getSignature();
//validator.validate(sig); BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(_samlAuthManager.getIdpSigningKey());
SignatureValidator validator = new SignatureValidator(credential);
try {
validator.validate(sig);
} catch (ValidationException e) {
s_logger.error("SAML Response's signature failed to be validated by IDP signing key:" + e.getMessage());
throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(),
"SAML Response's signature failed to be validated by IDP signing key",
params, responseType));
}
}
String uniqueUserId = null; String uniqueUserId = null;
String accountName = "admin"; //GET from config, try, fail String accountName = "admin"; //GET from config, try, fail
@ -251,4 +267,16 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
public APIAuthenticationType getAPIType() { public APIAuthenticationType getAPIType() {
return APIAuthenticationType.LOGIN_API; return APIAuthenticationType.LOGIN_API;
} }
@Override
public void setAuthenticators(List<PluggableAPIAuthenticator> authenticators) {
for (PluggableAPIAuthenticator authManager: authenticators) {
if (authManager instanceof SAML2AuthManager) {
_samlAuthManager = (SAML2AuthManager) authManager;
}
}
if (_samlAuthManager == null) {
s_logger.error("No suitable Pluggable Authentication Manager found for SAML2 Login Cmd");
}
}
} }

1
server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java
View File

@ -81,6 +81,7 @@ public class APIAuthenticationManagerImpl extends ManagerBase implements APIAuth
try { try {
apiAuthenticator = (APIAuthenticator) s_authenticators.get(name).newInstance(); apiAuthenticator = (APIAuthenticator) s_authenticators.get(name).newInstance();
apiAuthenticator = ComponentContext.inject(apiAuthenticator); apiAuthenticator = ComponentContext.inject(apiAuthenticator);
apiAuthenticator.setAuthenticators(_apiAuthenticators);
} catch (InstantiationException | IllegalAccessException e) { } catch (InstantiationException | IllegalAccessException e) {
if (s_logger.isDebugEnabled()) { if (s_logger.isDebugEnabled()) {
s_logger.debug("APIAuthenticationManagerImpl::getAPIAuthenticator failed: " + e.getMessage()); s_logger.debug("APIAuthenticationManagerImpl::getAPIAuthenticator failed: " + e.getMessage());

6
server/src/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java
View File

@ -28,12 +28,14 @@ import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.auth.APIAuthenticationType; import org.apache.cloudstack.api.auth.APIAuthenticationType;
import org.apache.cloudstack.api.auth.APIAuthenticator; import org.apache.cloudstack.api.auth.APIAuthenticator;
import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
import org.apache.cloudstack.api.response.LoginCmdResponse; import org.apache.cloudstack.api.response.LoginCmdResponse;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import javax.inject.Inject; import javax.inject.Inject;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import java.util.List;
import java.util.Map; import java.util.Map;
@APICommand(name = "login", description = "Logs a user into the CloudStack. A successful login attempt will generate a JSESSIONID cookie value that can be passed in subsequent Query command calls until the \"logout\" command has been issued or the session has expired.", requestHasSensitiveInfo = true, responseObject = LoginCmdResponse.class, entityType = {}) @APICommand(name = "login", description = "Logs a user into the CloudStack. A successful login attempt will generate a JSESSIONID cookie value that can be passed in subsequent Query command calls until the \"logout\" command has been issued or the session has expired.", requestHasSensitiveInfo = true, responseObject = LoginCmdResponse.class, entityType = {})
@ -172,4 +174,8 @@ public class DefaultLoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthe
public APIAuthenticationType getAPIType() { public APIAuthenticationType getAPIType() {
return APIAuthenticationType.LOGIN_API; return APIAuthenticationType.LOGIN_API;
} }
@Override
public void setAuthenticators(List<PluggableAPIAuthenticator> authenticators) {
}
} }

6
server/src/com/cloud/api/auth/DefaultLogoutAPIAuthenticatorCmd.java
View File

@ -24,11 +24,13 @@ import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.ServerApiException; import org.apache.cloudstack.api.ServerApiException;
import org.apache.cloudstack.api.auth.APIAuthenticationType; import org.apache.cloudstack.api.auth.APIAuthenticationType;
import org.apache.cloudstack.api.auth.APIAuthenticator; import org.apache.cloudstack.api.auth.APIAuthenticator;
import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
import org.apache.cloudstack.api.response.LogoutCmdResponse; import org.apache.cloudstack.api.response.LogoutCmdResponse;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import java.util.List;
import java.util.Map; import java.util.Map;
@APICommand(name = "logout", description = "Logs out the user", responseObject = LogoutCmdResponse.class, entityType = {}) @APICommand(name = "logout", description = "Logs out the user", responseObject = LogoutCmdResponse.class, entityType = {})
@ -70,4 +72,8 @@ public class DefaultLogoutAPIAuthenticatorCmd extends BaseCmd implements APIAuth
public APIAuthenticationType getAPIType() { public APIAuthenticationType getAPIType() {
return APIAuthenticationType.LOGOUT_API; return APIAuthenticationType.LOGOUT_API;
} }
@Override
public void setAuthenticators(List<PluggableAPIAuthenticator> authenticators) {
}
} }

2
server/src/com/cloud/configuration/Config.java
View File

@ -1384,7 +1384,7 @@ public enum Config {
ManagementServer.class, ManagementServer.class,
String.class, String.class,
"saml2.sp.id", "saml2.sp.id",
"Apache CloudStack", "org.apache.cloudstack",
"SAML2 Service Provider Identifier String", "SAML2 Service Provider Identifier String",
null), null),
SAMLServiceProviderSingleSignOnURL( SAMLServiceProviderSingleSignOnURL(