apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity
cloudstack/developer/pom.xml
Rohit Yadav 107595a6a5 CLOUDSTACK-8457: SAML auth plugin improvements for production usage 
* Move config options to SAML plugin
  This moves all configuration options from Config.java to SAML auth manager. This
  allows us to use the config framework.
* Make SAML2UserAuthenticator validate SAML token in httprequest
* Make logout API use ConfigKeys defined in saml auth manager
* Before doing SAML auth, cleanup local states and cookies
* Fix configurations in 4.5.1 to 4.5.2 upgrade path
* Fail if idp has no sso URL defined
* Add a default set of SAML SP cert for testing purposes
  Now to enable and use saml, one needs to do a deploydb-saml after doing a deploydb
* UI remembers login selections, IDP server

- CLOUDSTACK-8458:
    * On UI show dropdown list of discovered IdPs
    * Support SAML Federation, where there may be more than one IdP
        - New datastructure to hold metadata of SP or IdP
        - Recursive processing of IdP metadata
        - Fix login/logout APIs to get new interface and metadata data structure
        - Add org/contact information to metadata
        - Add new API: listIdps that returns list of all discovered IdPs
        - Refactor and cleanup code and tests

- CLOUDSTACK-8459:
    * Add HTTP-POST binding to SP metadata
    * Authn requests must use either HTTP POST/Artifact binding

- CLOUDSTACK-8461:
    * Use unspecified x509 cert as a fallback encryption/signing key
      In case a IDP's metadata does not clearly say if their certificates need to be
      used as signing or encryption and we don't find that, fallback to use the
      unspecified key itself.

- CLOUDSTACK-8462:
    * SAML Auth plugin should not do authorization
      This removes logic to create user if they don't exist. This strictly now
      assumes that users have been already created/imported/authorized by admins.
      As per SAML v2.0 spec section 4.1.2, the SP provider should create authn requests using
      either HTTP POST or HTTP Artifact binding to transfer the message through a
      user agent (browser in our case). The use of HTTP Redirect was one of the reasons
      why this plugin failed to work for some IdP servers that enforce this.
    * Add new User Source
      By reusing the source field, we can find if a user has been SAML enabled or not.
      The limitation is that, once say a user is imported by LDAP and then SAML
      enabled - they won't be able to use LDAP for authentication
    * UI should allow users to pass in domain they want to log into, though it is
      optional and needed only when a user has accounts across domains with same
      username and authorized IDP server
    * SAML users need to be authorized before they can authenticate
        - New column entity to track saml entity id for a user
        - Reusing source column to check if user is saml enabled or not
        - Add new source types, saml2 and saml2disabled
        - New table saml_token to solve the issue of multiple users across domains and
          to enforce security by tracking authn token and checking the samlresponse for
          the tokens
        - Implement API: authorizeSamlSso to enable/disable saml authentication for a
          user
        - Stubs to implement saml token flushing/expiry

- CLOUDSTACK-8463:
    * Use username attribute specified in global setting
      Use username attribute defined by admin from a global setting
      In case of encrypted assertion/attributes:
      - Decrypt them
      - Check signature if provided to check authenticity of message using IdP's
        public key and SP's private key
      - Loop through attributes to find the username

- CLOUDSTACK-8538:
    * Add new global config for SAML request sig algorithm

- CLOUDSTACK-8539:
    * Add metadata refresh timer task and token expiring
        - Fix domain path and save it to saml_tokens
        - Expire hour old saml tokens
        - Refresh metadata based on timer task
        - Fix unit tests

This closes #489

(cherry picked from commit 20ce346f3acb794b08a51841bab2188d426bf7dc)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

Conflicts:
	client/WEB-INF/classes/resources/messages_hu.properties
	plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/wrapper/xenbase/CitrixCheckHealthCommandWrapper.java
	plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
	ui/scripts/ui-custom/login.js
2015-06-29 12:31:51 +02:00

281 lines
11 KiB
XML
Raw Blame History

<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. The ASF licenses this file to
you under the Apache License, Version 2.0 (the "License"); you may not use
this file except in compliance with the License. You may obtain a copy of
the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
by applicable law or agreed to in writing, software distributed under the
License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
OF ANY KIND, either express or implied. See the License for the specific
language governing permissions and limitations under the License. -->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>cloud-developer</artifactId>
<name>Apache CloudStack Developer Mode</name>
<packaging>pom</packaging>
<parent>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloudstack</artifactId>
<version>4.6.0-SNAPSHOT</version>
</parent>
<dependencies>
<dependency>
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
</dependency>
<dependency>
<groupId>commons-pool</groupId>
<artifactId>commons-pool</artifactId>
</dependency>
<dependency>
<groupId>org.jasypt</groupId>
<artifactId>jasypt</artifactId>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-utils</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.apache.cloudstack</groupId>
<artifactId>cloud-server</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>properties-maven-plugin</artifactId>
<version>1.0-alpha-2</version>
<executions>
<execution>
<phase>initialize</phase>
<goals>
<goal>read-project-properties</goal>
</goals>
<configuration>
<files>
<file>${basedir}/../utils/conf/db.properties</file>
<file>${basedir}/../utils/conf/db.properties.override</file>
</files>
<quiet>true</quiet>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
<phase>generate-resources</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
<filter token="VERSION" value="${project.version}"/>
<copy todir="${basedir}/target/db" filtering="true">
<fileset dir="${basedir}/../setup/db/"/>
</copy>
</target>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
<profiles>
<profile>
<!-- default deploydb property -->
<id>deploydb</id>
<activation>
<property>
<name>deploydb</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>1.2.1</version>
<dependencies>
<!-- specify the dependent jdbc driver here -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>${cs.mysql.version}</version>
</dependency>
</dependencies>
<executions>
<execution>
<phase>process-resources</phase>
<id>create-schema</id>
<goals>
<goal>java</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>com.cloud.upgrade.DatabaseCreator</mainClass>
<includePluginDependencies>true</includePluginDependencies>
<arguments>
<!-- db properties file -->
<argument>${basedir}/../utils/conf/db.properties</argument>
<argument>${basedir}/../utils/conf/db.properties.override</argument>
<!-- Create default schema and db table views -->
<argument>${basedir}/target/db/create-schema.sql</argument>
<argument>${basedir}/target/db/create-schema-premium.sql</argument>
<!-- Seed templates -->
<argument>${basedir}/target/db/templates.sql</argument>
<!-- Seed the database -->
<argument>${basedir}/developer-prefill.sql</argument>
<argument>${basedir}/developer-prefill.sql.override</argument>
<!-- Do database upgrade-->
<argument>com.cloud.upgrade.DatabaseUpgradeChecker</argument>
<argument>--database=cloud,usage</argument>
<argument>--rootpassword=${db.root.password}</argument>
<!-- Print help using -h or dash-dash-help -->
<!-- Do dry run using -d or dash-dash-dry -->
<!-- Enable verbosity by -v or dash-dash-verbose -->
</arguments>
<systemProperties>
<systemProperty>
<key>catalina.home</key>
<value>${basedir}/../utils</value>
</systemProperty>
<systemProperty>
<key>paths.script</key>
<value>${basedir}/target/db</value>
</systemProperty>
</systemProperties>
</configuration>
</plugin>
</plugins>
</build>
</profile>
<profile>
<!-- saml deploydb property -->
<id>deploydb-saml</id>
<activation>
<property>
<name>deploydb-saml</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<dependencies>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>${cs.mysql.version}</version>
</dependency>
</dependencies>
<version>1.2.1</version>
<executions>
<execution>
<phase>process-resources</phase>
<id>create-schema-simulator</id>
<goals>
<goal>java</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>com.cloud.upgrade.DatabaseCreator</mainClass>
<includePluginDependencies>true</includePluginDependencies>
<arguments>
<!-- db properties file -->
<argument>${basedir}/../utils/conf/db.properties</argument>
<argument>${basedir}/../utils/conf/db.properties.override</argument>
<!-- simulator sql files -->
<argument>${basedir}/developer-saml.sql</argument>
<!-- upgrade -->
<argument>com.cloud.upgrade.DatabaseUpgradeChecker</argument>
<argument>--rootpassword=${db.root.password}</argument>
</arguments>
<systemProperties>
<systemProperty>
<key>catalina.home</key>
<value>${basedir}/../utils</value>
</systemProperty>
<systemProperty>
<key>paths.script</key>
<value>${basedir}/target/db</value>
</systemProperty>
</systemProperties>
</configuration>
</plugin>
</plugins>
</build>
</profile>
<profile>
<!-- simulator deploydb property -->
<id>deploydb-simulator</id>
<activation>
<property>
<name>deploydb-simulator</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<dependencies>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>${cs.mysql.version}</version>
</dependency>
</dependencies>
<version>1.2.1</version>
<executions>
<execution>
<phase>process-resources</phase>
<id>create-schema-simulator</id>
<goals>
<goal>java</goal>
</goals>
</execution>
</executions>
<configuration>
<mainClass>com.cloud.upgrade.DatabaseCreator</mainClass>
<includePluginDependencies>true</includePluginDependencies>
<arguments>
<!-- db properties file -->
<argument>${basedir}/../utils/conf/db.properties</argument>
<argument>${basedir}/../utils/conf/db.properties.override</argument>
<!-- simulator sql files -->
<argument>${basedir}/target/db/create-schema-simulator.sql</argument>
<argument>${basedir}/target/db/templates.simulator.sql</argument>
<argument>${basedir}/target/db/hypervisor_capabilities.simulator.sql</argument>
<!-- upgrade -->
<argument>com.cloud.upgrade.DatabaseUpgradeChecker</argument>
<argument>--database=simulator</argument>
<argument>--rootpassword=${db.root.password}</argument>
</arguments>
<systemProperties>
<systemProperty>
<key>catalina.home</key>
<value>${basedir}/../utils</value>
</systemProperty>
<systemProperty>
<key>paths.script</key>
<value>${basedir}/target/db</value>
</systemProperty>
</systemProperties>
</configuration>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
Reference in New Issue View Git Blame Copy Permalink