mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
107595a6a5
* Move config options to SAML plugin
This moves all configuration options from Config.java to SAML auth manager. This
allows us to use the config framework.
* Make SAML2UserAuthenticator validate SAML token in httprequest
* Make logout API use ConfigKeys defined in saml auth manager
* Before doing SAML auth, cleanup local states and cookies
* Fix configurations in 4.5.1 to 4.5.2 upgrade path
* Fail if idp has no sso URL defined
* Add a default set of SAML SP cert for testing purposes
Now to enable and use saml, one needs to do a deploydb-saml after doing a deploydb
* UI remembers login selections, IDP server
- CLOUDSTACK-8458:
* On UI show dropdown list of discovered IdPs
* Support SAML Federation, where there may be more than one IdP
- New datastructure to hold metadata of SP or IdP
- Recursive processing of IdP metadata
- Fix login/logout APIs to get new interface and metadata data structure
- Add org/contact information to metadata
- Add new API: listIdps that returns list of all discovered IdPs
- Refactor and cleanup code and tests
- CLOUDSTACK-8459:
* Add HTTP-POST binding to SP metadata
* Authn requests must use either HTTP POST/Artifact binding
- CLOUDSTACK-8461:
* Use unspecified x509 cert as a fallback encryption/signing key
In case a IDP's metadata does not clearly say if their certificates need to be
used as signing or encryption and we don't find that, fallback to use the
unspecified key itself.
- CLOUDSTACK-8462:
* SAML Auth plugin should not do authorization
This removes logic to create user if they don't exist. This strictly now
assumes that users have been already created/imported/authorized by admins.
As per SAML v2.0 spec section 4.1.2, the SP provider should create authn requests using
either HTTP POST or HTTP Artifact binding to transfer the message through a
user agent (browser in our case). The use of HTTP Redirect was one of the reasons
why this plugin failed to work for some IdP servers that enforce this.
* Add new User Source
By reusing the source field, we can find if a user has been SAML enabled or not.
The limitation is that, once say a user is imported by LDAP and then SAML
enabled - they won't be able to use LDAP for authentication
* UI should allow users to pass in domain they want to log into, though it is
optional and needed only when a user has accounts across domains with same
username and authorized IDP server
* SAML users need to be authorized before they can authenticate
- New column entity to track saml entity id for a user
- Reusing source column to check if user is saml enabled or not
- Add new source types, saml2 and saml2disabled
- New table saml_token to solve the issue of multiple users across domains and
to enforce security by tracking authn token and checking the samlresponse for
the tokens
- Implement API: authorizeSamlSso to enable/disable saml authentication for a
user
- Stubs to implement saml token flushing/expiry
- CLOUDSTACK-8463:
* Use username attribute specified in global setting
Use username attribute defined by admin from a global setting
In case of encrypted assertion/attributes:
- Decrypt them
- Check signature if provided to check authenticity of message using IdP's
public key and SP's private key
- Loop through attributes to find the username
- CLOUDSTACK-8538:
* Add new global config for SAML request sig algorithm
- CLOUDSTACK-8539:
* Add metadata refresh timer task and token expiring
- Fix domain path and save it to saml_tokens
- Expire hour old saml tokens
- Refresh metadata based on timer task
- Fix unit tests
This closes #489
(cherry picked from commit 20ce346f3acb794b08a51841bab2188d426bf7dc)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Conflicts:
client/WEB-INF/classes/resources/messages_hu.properties
plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/wrapper/xenbase/CitrixCheckHealthCommandWrapper.java
plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
ui/scripts/ui-custom/login.js
308 lines
16 KiB
JavaScript
308 lines
16 KiB
JavaScript
// Licensed to the Apache Software Foundation (ASF) under one
|
|
// or more contributor license agreements. See the NOTICE file
|
|
// distributed with this work for additional information
|
|
// regarding copyright ownership. The ASF licenses this file
|
|
// to you under the Apache License, Version 2.0 (the
|
|
// "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing,
|
|
// software distributed under the License is distributed on an
|
|
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
// KIND, either express or implied. See the License for the
|
|
// specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
(function($, cloudStack) {
|
|
cloudStack.uiCustom.accountsWizard = function(args, isLdap) {
|
|
return function(listViewArgs) {
|
|
var context = listViewArgs.context;
|
|
var ldapStatus = isLdap;
|
|
var accountsWizard = function(data) {
|
|
var $wizard = $('#template').find('div.accounts-wizard').clone();
|
|
var $form = $wizard.find('form');
|
|
|
|
var close = function() {
|
|
$wizard.dialog('destroy');
|
|
$wizard.remove();
|
|
$('div.overlay').fadeOut(function() {
|
|
$('div.overlay').remove();
|
|
});
|
|
};
|
|
|
|
var completeAction = function() {
|
|
var data = cloudStack.serializeForm($form);
|
|
var groupname = $.trim(data.ldapGroupName);
|
|
if (groupname) {
|
|
args.action({
|
|
context: context,
|
|
data: data,
|
|
isLdap: isLdap,
|
|
groupname: groupname,
|
|
response: {
|
|
error: function(message) {
|
|
if (message) {
|
|
cloudStack.dialog.notice({
|
|
message: message
|
|
});
|
|
}
|
|
}
|
|
}
|
|
});
|
|
} else {
|
|
var username = data.username;
|
|
var bulkAdd = (username instanceof Array);
|
|
if (bulkAdd) {
|
|
for (var i = 0; i < username.length; i++) {
|
|
args.action({
|
|
context: context,
|
|
data: data,
|
|
isLdap: isLdap,
|
|
username: username[i],
|
|
response: {
|
|
error: function(message) {
|
|
if (message) {
|
|
cloudStack.dialog.notice({
|
|
message: message
|
|
});
|
|
}
|
|
}
|
|
}
|
|
});
|
|
}
|
|
} else {
|
|
args.action({
|
|
context: context,
|
|
data: data,
|
|
isLdap: isLdap,
|
|
username: username,
|
|
response: {
|
|
error: function(message) {
|
|
if (message) {
|
|
cloudStack.dialog.notice({
|
|
message: message
|
|
});
|
|
}
|
|
}
|
|
}
|
|
});
|
|
}
|
|
}
|
|
};
|
|
|
|
$wizard.click(function(event) {
|
|
var $target = $(event.target);
|
|
if ($target.closest('button.next').size()) {
|
|
$form.validate();
|
|
if ($form.valid()) {
|
|
completeAction();
|
|
$(window).trigger('cloudStack.fullRefresh');
|
|
close();
|
|
return true;
|
|
}
|
|
}
|
|
|
|
if ($target.closest('button.cancel').size()) {
|
|
close();
|
|
return false;
|
|
}
|
|
});
|
|
|
|
if (ldapStatus) {
|
|
var $table = $wizard.find('.ldap-account-choice tbody');
|
|
$("#label_ldap_group_name").live("keypress", function(event) {
|
|
if ($table.find("#tr-groupname-message").length === 0) {
|
|
$("<tr id='tr-groupname-message'>").appendTo($table).append("<td colspan=\"4\">All The users from the given group name will be imported</td>");
|
|
}
|
|
$table.find("tr").hide();
|
|
$table.find("#tr-groupname-message").show();
|
|
});
|
|
$("#label_ldap_group_name").live("blur", function(event) {
|
|
if (!$(this).val()) {
|
|
$table.find("tr").show();
|
|
$table.find("#tr-groupname-message").hide();
|
|
}
|
|
});
|
|
$.ajax({
|
|
url: createURL("listLdapUsers&listtype=new"),
|
|
dataType: "json",
|
|
async: false,
|
|
success: function(json) {
|
|
//for testing only (begin)
|
|
/*
|
|
json = {
|
|
"ldapuserresponse": {
|
|
"count": 11,
|
|
"LdapUser": [
|
|
{
|
|
"email": "test@test.com",
|
|
"principal": "CN=Administrator,CN=Users,DC=hyd-qa,DC=com",
|
|
"username": "Administrator",
|
|
"domain": "CN=Administrator"
|
|
},
|
|
{
|
|
"email": "test@test.com",
|
|
"principal": "CN=Guest,CN=Users,DC=hyd-qa,DC=com",
|
|
"username": "Guest",
|
|
"domain": "CN=Guest"
|
|
},
|
|
{
|
|
"email": "test@test.com",
|
|
"principal": "CN=IUSR_HYD-QA12,CN=Users,DC=hyd-qa,DC=com",
|
|
"username": "IUSR_HYD-QA12",
|
|
"domain": "CN=IUSR_HYD-QA12"
|
|
},
|
|
{
|
|
"email": "test@test.com",
|
|
"principal": "CN=IWAM_HYD-QA12,CN=Users,DC=hyd-qa,DC=com",
|
|
"username": "IWAM_HYD-QA12",
|
|
"domain": "CN=IWAM_HYD-QA12"
|
|
},
|
|
{
|
|
"email": "test@test.com",
|
|
"principal": "CN=SUPPORT_388945a0,CN=Users,DC=hyd-qa,DC=com",
|
|
"username": "SUPPORT_388945a0",
|
|
"domain": "CN=SUPPORT_388945a0"
|
|
},
|
|
{
|
|
"principal": "CN=jessica j,CN=Users,DC=hyd-qa,DC=com",
|
|
"firstname": "jessica",
|
|
"lastname": "j",
|
|
"username": "jessica",
|
|
"domain": "CN=jessica j"
|
|
},
|
|
{
|
|
"principal": "CN=krbtgt,CN=Users,DC=hyd-qa,DC=com",
|
|
"username": "krbtgt",
|
|
"domain": "CN=krbtgt"
|
|
},
|
|
{
|
|
"email": "sadhu@sadhu.com",
|
|
"principal": "CN=sadhu,CN=Users,DC=hyd-qa,DC=com",
|
|
"firstname": "sadhu",
|
|
"username": "sadhu",
|
|
"domain": "CN=sadhu"
|
|
},
|
|
{
|
|
"email": "test@test.com",
|
|
"principal": "CN=sangee1 hariharan,CN=Users,DC=hyd-qa,DC=com",
|
|
"firstname": "sangee1",
|
|
"lastname": "hariharan",
|
|
"username": "sangee1",
|
|
"domain": "CN=sangee1 hariharan"
|
|
},
|
|
{
|
|
"email": "test@test.com",
|
|
"principal": "CN=sanjeev n.,CN=Users,DC=hyd-qa,DC=com",
|
|
"firstname": "sanjeev",
|
|
"username": "sanjeev",
|
|
"domain": "CN=sanjeev n."
|
|
},
|
|
{
|
|
"email": "test@test.com",
|
|
"principal": "CN=test1dddd,CN=Users,DC=hyd-qa,DC=com",
|
|
"firstname": "test1",
|
|
"username": "test1dddd",
|
|
"domain": "CN=test1dddd"
|
|
}
|
|
]
|
|
}
|
|
};
|
|
*/
|
|
//for testing only (end)
|
|
|
|
if (json.ldapuserresponse.count > 0) {
|
|
$(json.ldapuserresponse.LdapUser).each(function() {
|
|
var $result = $('<tr>');
|
|
|
|
$result.append(
|
|
$('<td>').addClass('select').append(
|
|
$('<input>').attr({
|
|
type: 'checkbox', name: 'username', value: _s(this.username)
|
|
})
|
|
),
|
|
$('<td>').addClass('name').html(_s(this.firstname) + ' ' + _s(this.lastname))
|
|
.attr('title', _s(this.firstname) + ' ' + _s(this.lastname)),
|
|
$('<td>').addClass('username').html(_s(this.username))
|
|
.attr('title', this.username),
|
|
$('<td>').addClass('email').html(_s(this.email))
|
|
.attr('title', _s(this.email))
|
|
)
|
|
|
|
$table.append($result);
|
|
});
|
|
} else {
|
|
var $result = $('<tr>');
|
|
|
|
$result.append(
|
|
$('<td>').attr('colspan', 4).html(_l('label.no.data'))
|
|
);
|
|
|
|
$table.append($result);
|
|
}
|
|
}
|
|
});
|
|
} else {
|
|
var informationWithinLdap = cloudStack.dialog.createForm({
|
|
context: context,
|
|
noDialog: true,
|
|
form: {
|
|
title: '',
|
|
fields: args.informationWithinLdap
|
|
}
|
|
});
|
|
|
|
var informationWithinLdapForm = informationWithinLdap.$formContainer.find('form .form-item');
|
|
informationWithinLdapForm.find('.value #label_username').addClass('required');
|
|
informationWithinLdapForm.find('.value #password').addClass('required');
|
|
informationWithinLdapForm.find('.value #label_confirm_password').addClass('required');
|
|
informationWithinLdapForm.find('.value #label_confirm_password').attr('equalTo', '#password');
|
|
informationWithinLdapForm.find('.value #label_email').addClass('required');
|
|
informationWithinLdapForm.find('.value #label_first_name').addClass('required');
|
|
informationWithinLdapForm.find('.value #label_last_name').addClass('required');
|
|
$wizard.find('.manual-account-details').append(informationWithinLdapForm).children().css('background', 'none');
|
|
$wizard.find('.ldap-account-choice').css('display', 'none');
|
|
$wizard.removeClass('multi-wizard');
|
|
}
|
|
|
|
if (!ldapStatus) {
|
|
delete args.informationNotInLdap.ldapGroupName;
|
|
}
|
|
|
|
if (g_idpList == null) {
|
|
delete args.informationNotInLdap.samlEnable;
|
|
delete args.informationNotInLdap.samlEntity;
|
|
}
|
|
|
|
var informationNotInLdap = cloudStack.dialog.createForm({
|
|
context: context,
|
|
noDialog: true,
|
|
form: {
|
|
title: '',
|
|
fields: args.informationNotInLdap
|
|
}
|
|
});
|
|
|
|
var informationNotInLdapForm = informationNotInLdap.$formContainer.find('form .form-item');
|
|
informationNotInLdapForm.find('.value #label_domain').addClass('required');
|
|
informationNotInLdapForm.find('.value #label_type').addClass('required');
|
|
if (!ldapStatus) {
|
|
informationNotInLdapForm.css('background', 'none');
|
|
}
|
|
$wizard.find('.manual-account-details').append(informationNotInLdapForm);
|
|
|
|
return $wizard.dialog({
|
|
title: ldapStatus ? _l('Add LDAP Account') : _l('label.add.account'),
|
|
width: ldapStatus ? 800 : 330,
|
|
height: ldapStatus ? 500 : 500,
|
|
closeOnEscape: false,
|
|
zIndex: 5000
|
|
}).closest('.ui-dialog').overlay();
|
|
};
|
|
|
|
accountsWizard(args);
|
|
};
|
|
};
|
|
})(jQuery, cloudStack); |