apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity
cloudstack/ui/scripts/accountsWizard.js
Rohit Yadav 107595a6a5 CLOUDSTACK-8457: SAML auth plugin improvements for production usage 
* Move config options to SAML plugin
  This moves all configuration options from Config.java to SAML auth manager. This
  allows us to use the config framework.
* Make SAML2UserAuthenticator validate SAML token in httprequest
* Make logout API use ConfigKeys defined in saml auth manager
* Before doing SAML auth, cleanup local states and cookies
* Fix configurations in 4.5.1 to 4.5.2 upgrade path
* Fail if idp has no sso URL defined
* Add a default set of SAML SP cert for testing purposes
  Now to enable and use saml, one needs to do a deploydb-saml after doing a deploydb
* UI remembers login selections, IDP server

- CLOUDSTACK-8458:
    * On UI show dropdown list of discovered IdPs
    * Support SAML Federation, where there may be more than one IdP
        - New datastructure to hold metadata of SP or IdP
        - Recursive processing of IdP metadata
        - Fix login/logout APIs to get new interface and metadata data structure
        - Add org/contact information to metadata
        - Add new API: listIdps that returns list of all discovered IdPs
        - Refactor and cleanup code and tests

- CLOUDSTACK-8459:
    * Add HTTP-POST binding to SP metadata
    * Authn requests must use either HTTP POST/Artifact binding

- CLOUDSTACK-8461:
    * Use unspecified x509 cert as a fallback encryption/signing key
      In case a IDP's metadata does not clearly say if their certificates need to be
      used as signing or encryption and we don't find that, fallback to use the
      unspecified key itself.

- CLOUDSTACK-8462:
    * SAML Auth plugin should not do authorization
      This removes logic to create user if they don't exist. This strictly now
      assumes that users have been already created/imported/authorized by admins.
      As per SAML v2.0 spec section 4.1.2, the SP provider should create authn requests using
      either HTTP POST or HTTP Artifact binding to transfer the message through a
      user agent (browser in our case). The use of HTTP Redirect was one of the reasons
      why this plugin failed to work for some IdP servers that enforce this.
    * Add new User Source
      By reusing the source field, we can find if a user has been SAML enabled or not.
      The limitation is that, once say a user is imported by LDAP and then SAML
      enabled - they won't be able to use LDAP for authentication
    * UI should allow users to pass in domain they want to log into, though it is
      optional and needed only when a user has accounts across domains with same
      username and authorized IDP server
    * SAML users need to be authorized before they can authenticate
        - New column entity to track saml entity id for a user
        - Reusing source column to check if user is saml enabled or not
        - Add new source types, saml2 and saml2disabled
        - New table saml_token to solve the issue of multiple users across domains and
          to enforce security by tracking authn token and checking the samlresponse for
          the tokens
        - Implement API: authorizeSamlSso to enable/disable saml authentication for a
          user
        - Stubs to implement saml token flushing/expiry

- CLOUDSTACK-8463:
    * Use username attribute specified in global setting
      Use username attribute defined by admin from a global setting
      In case of encrypted assertion/attributes:
      - Decrypt them
      - Check signature if provided to check authenticity of message using IdP's
        public key and SP's private key
      - Loop through attributes to find the username

- CLOUDSTACK-8538:
    * Add new global config for SAML request sig algorithm

- CLOUDSTACK-8539:
    * Add metadata refresh timer task and token expiring
        - Fix domain path and save it to saml_tokens
        - Expire hour old saml tokens
        - Refresh metadata based on timer task
        - Fix unit tests

This closes #489

(cherry picked from commit 20ce346f3acb794b08a51841bab2188d426bf7dc)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

Conflicts:
	client/WEB-INF/classes/resources/messages_hu.properties
	plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/wrapper/xenbase/CitrixCheckHealthCommandWrapper.java
	plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
	ui/scripts/ui-custom/login.js
2015-06-29 12:31:51 +02:00

318 lines
12 KiB
JavaScript
Raw Blame History

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
(function(cloudStack, $) {
var rootDomainId;
cloudStack.accountsWizard = {
informationWithinLdap: {
username: {
label: 'label.username',
validation: {
required: true
},
docID: 'helpAccountUsername'
},
password: {
label: 'label.password',
validation: {
required: true
},
isPassword: true,
id: 'password',
docID: 'helpAccountPassword'
},
'password-confirm': {
label: 'label.confirm.password',
validation: {
required: true,
equalTo: '#password'
},
isPassword: true,
docID: 'helpAccountConfirmPassword'
},
email: {
label: 'label.email',
validation: {
required: true,
email: true
},
docID: 'helpAccountEmail'
},
firstname: {
label: 'label.first.name',
validation: {
required: true
},
docID: 'helpAccountFirstName'
},
lastname: {
label: 'label.last.name',
validation: {
required: true
},
docID: 'helpAccountLastName'
}
},
informationNotInLdap: {
domainid: {
label: 'label.domain',
docID: 'helpAccountDomain',
validation: {
required: true
},
select: function(args) {
$.ajax({
url: createURL("listDomains"),
success: function(json) {
var items = [];
domainObjs = json.listdomainsresponse.domain;
$(domainObjs).each(function() {
items.push({
id: this.id,
description: this.path
});
if (this.level === 0)
rootDomainId = this.id;
});
items.sort(function(a, b) {
return a.description.localeCompare(b.description);
});
args.response.success({
data: items
});
}
});
}
},
account: {
label: 'label.account',
docID: 'helpAccountAccount',
validation: {
required: false
}
},
accounttype: {
label: 'label.type',
docID: 'helpAccountType',
validation: {
required: true
},
select: function(args) {
var items = [];
items.push({
id: 0,
description: "User"
}); //regular-user
items.push({
id: 1,
description: "Admin"
}); //root-admin
args.response.success({
data: items
});
}
},
timezone: {
label: 'label.timezone',
docID: 'helpAccountTimezone',
select: function(args) {
var items = [];
items.push({
id: "",
description: ""
});
for (var p in timezoneMap)
items.push({
id: p,
description: timezoneMap[p]
});
args.response.success({
data: items
});
}
},
networkdomain: {
label: 'label.network.domain',
docID: 'helpAccountNetworkDomain',
validation: {
required: false
}
},
ldapGroupName: {
label: 'label.ldap.group.name',
docID: 'helpLdapGroupName',
validation: {
required: false
}
},
samlEnable: {
label: 'label.saml.enable',
docID: 'helpSamlEnable',
isBoolean: true,
validation: {
required: false
}
},
samlEntity: {
label: 'label.saml.entity',
docID: 'helpSamlEntity',
validation: {
required: false
},
select: function(args) {
var items = [];
$(g_idpList).each(function() {
items.push({
id: this.id,
description: this.orgName
});
});
args.response.success({
data: items
});
}
}
},
action: function(args) {
var array1 = [];
var ldapStatus = args.isLdap;
if (args.username) {
array1.push("&username=" + args.username);
}
if (!ldapStatus) {
var password = args.data.password;
if (md5Hashed) {
password = $.md5(password);
}
array1.push("&email=" + args.data.email);
array1.push("&firstname=" + args.data.firstname);
array1.push("&lastname=" + args.data.lastname);
password = args.data.password;
if (md5Hashed) {
password = $.md5(password);
} else {
password = todb(password);
}
array1.push("&password=" + password);
}
array1.push("&domainid=" + args.data.domainid);
var account = args.data.account;
if (account !== null && account.length > 0) {
array1.push("&account=" + account);
}
var accountType = args.data.accounttype;
if (accountType == "1") { //if "admin" is selected in account type dropdown
if (rootDomainId == undefined || args.data.domainid != rootDomainId ) { //but current login has no visibility to root domain object, or the selected domain is not root domain
accountType = "2"; // change accountType from root-domain("1") to domain-admin("2")
}
}
array1.push("&accounttype=" + accountType);
if (args.data.timezone !== null && args.data.timezone.length > 0) {
array1.push("&timezone=" + args.data.timezone);
}
if (args.data.networkdomain !== null && args.data.networkdomain.length > 0) {
array1.push("&networkdomain=" + args.data.networkdomain);
}
if (args.groupname && args.groupname !== null && args.groupname.length > 0) {
array1.push("&group=" + args.groupname);
}
var authorizeUsersForSamlSSO = function (users, entity) {
for (var i = 0; i < users.length; i++) {
$.ajax({
url: createURL('authorizeSamlSso&enable=true&userid=' + users[i].id + "&entityid=" + entity),
error: function(XMLHttpResponse) {
args.response.error(parseXMLHttpResponse(XMLHttpResponse));
}
});
}
return;
};
if (ldapStatus) {
if (args.groupname) {
$.ajax({
url: createURL('importLdapUsers' + array1.join("")),
dataType: "json",
type: "POST",
async: false,
success: function (json) {
if (json.ldapuserresponse && args.data.samlEnable && args.data.samlEnable === 'on') {
cloudStack.dialog.notice({
message: "Unable to find users IDs to enable SAML Single Sign On, kindly enable it manually."
});
}
},
error: function(XMLHttpResponse) {
args.response.error(parseXMLHttpResponse(XMLHttpResponse));
}
});
} else if (args.username) {
$.ajax({
url: createURL('ldapCreateAccount' + array1.join("")),
dataType: "json",
type: "POST",
async: false,
success: function(json) {
if (args.data.samlEnable && args.data.samlEnable === 'on') {
var users = json.createaccountresponse.account.user;
var entity = args.data.samlEntity;
if (users && entity)
authorizeUsersForSamlSSO(users, entity);
}
},
error: function(XMLHttpResponse) {
args.response.error(parseXMLHttpResponse(XMLHttpResponse));
}
});
}
} else {
$.ajax({
url: createURL('createAccount' + array1.join("")),
dataType: "json",
type: "POST",
async: false,
success: function(json) {
if (args.data.samlEnable && args.data.samlEnable === 'on') {
var users = json.createaccountresponse.account.user;
var entity = args.data.samlEntity;
if (users && entity)
authorizeUsersForSamlSSO(users, entity);
}
},
error: function(XMLHttpResponse) {
args.response.error(parseXMLHttpResponse(XMLHttpResponse));
}
});
}
}
};
}(cloudStack, jQuery));
Reference in New Issue View Git Blame Copy Permalink