package io.cattle.platform.iaas.api.auth.integration.ldap.ad;
import io.cattle.platform.api.auth.Identity;
import io.cattle.platform.core.util.SettingsUtils;
import io.cattle.platform.iaas.api.auth.AbstractTokenUtil;
import io.cattle.platform.iaas.api.auth.SecurityConstants;
import io.cattle.platform.iaas.api.auth.integration.ldap.LDAPUtils;
import io.cattle.platform.iaas.api.auth.integration.ldap.interfaces.LDAPConstants;
import io.cattle.platform.json.JsonMapper;
import io.cattle.platform.util.type.CollectionUtils;
import io.github.ibuildthecloud.gdapi.factory.SchemaFactory;
import io.github.ibuildthecloud.gdapi.model.ListOptions;
import io.github.ibuildthecloud.gdapi.request.ApiRequest;
import io.github.ibuildthecloud.gdapi.request.resource.impl.AbstractNoOpResourceManager;
import java.util.List;
import java.util.Map;
import javax.inject.Inject;
import org.apache.commons.lang3.StringUtils;
public class ADConfigManager extends AbstractNoOpResourceManager {
@Inject
SettingsUtils settingsUtils;
@Inject
JsonMapper jsonMapper;
@Inject
ADIdentityProvider adIdentityProvider;
@Override
public Class<?>[] getTypeClasses() {
return new Class<?>[]{ADConfig.class};
}
@Override
protected Object createInternal(String type, ApiRequest request) {
if (!StringUtils.equals(ADConstants.CONFIG, request.getType())) {
return null;
}
LDAPConstants config = request.proxyRequestObject(LDAPConstants.class);
LDAPUtils.validateConfig(config);
Map<String, Object> configMap = CollectionUtils.toMap(request.getRequestObject());
return updateCurrentConfig(configMap);
}
@SuppressWarnings("unchecked")
private ADConfig currentLdapConfig(Map<String, Object> config) {
ADConfig currentConfig = (ADConfig) listInternal(null, null, null, null);
String domain = currentConfig.getDomain();
if (config.get(ADConstants.CONFIG_DOMAIN) != null) {
domain = (String)config.get(ADConstants.CONFIG_DOMAIN);
}
String groupSearchDomain = currentConfig.getGroupSearchDomain();
if (config.get(ADConstants.CONFIG_GROUP_SEARCH_DOMAIN) != null) {
groupSearchDomain = (String)config.get(ADConstants.CONFIG_GROUP_SEARCH_DOMAIN);
}
String server = currentConfig.getServer();
if (config.get(ADConstants.CONFIG_SERVER) != null) {
server = (String)config.get(ADConstants.CONFIG_SERVER);
}
String loginDomain = currentConfig.getLoginDomain();
if (config.get(ADConstants.CONFIG_LOGIN_DOMAIN) != null) {
loginDomain = (String)config.get(ADConstants.CONFIG_LOGIN_DOMAIN);
}
String accessMode = currentConfig.getAccessMode();
if (config.get(AbstractTokenUtil.ACCESSMODE) != null) {
accessMode = (String)config.get(AbstractTokenUtil.ACCESSMODE);
}
String serviceAccountUsername = currentConfig.getServiceAccountUsername();
if (config.get(ADConstants.CONFIG_SERVICE_ACCOUNT_USERNAME) != null) {
serviceAccountUsername = (String)config.get(ADConstants.CONFIG_SERVICE_ACCOUNT_USERNAME);
}
String serviceAccountPassword = currentConfig.getServiceAccountPassword();
if (config.get(ADConstants.CONFIG_SERVICE_ACCOUNT_PASSWORD) != null) {
serviceAccountPassword = (String)config.get(ADConstants.CONFIG_SERVICE_ACCOUNT_PASSWORD);
}
boolean tls = currentConfig.getTls();
if (config.get(ADConstants.CONFIG_TLS) != null) {
tls = (Boolean)config.get(ADConstants.CONFIG_TLS);
}
int port = currentConfig.getPort();
if (config.get(ADConstants.CONFIG_PORT) != null) {
port = ((Long)config.get(ADConstants.CONFIG_PORT)).intValue();
}
boolean enabled = currentConfig.getEnabled();
if (config.get(ADConstants.CONFIG_SECURITY) != null) {
enabled = (Boolean)config.get(ADConstants.CONFIG_SECURITY);
}
String userSearchField = currentConfig.getUserSearchField();
if (config.get(ADConstants.CONFIG_USER_SEARCH_FIELD) != null){
userSearchField = (String)config.get(ADConstants.CONFIG_USER_SEARCH_FIELD);
}
String groupSearchField = currentConfig.getGroupSearchField();
if (config.get(ADConstants.CONFIG_GROUP_SEARCH_FIELD) != null){
groupSearchField = (String)config.get(ADConstants.CONFIG_GROUP_SEARCH_FIELD);
}
String userLoginField = currentConfig.getUserLoginField();
if (config.get(ADConstants.CONFIG_USER_LOGIN_FIELD) != null){
userLoginField = (String)config.get(ADConstants.CONFIG_USER_LOGIN_FIELD);
}
int userEnabledMaskBit = currentConfig.getUserDisabledBitMask();
if (config.get(ADConstants.CONFIG_USER_DISABLED_BIT_MASK) !=null){
userEnabledMaskBit = ((Long)config.get(ADConstants.CONFIG_USER_DISABLED_BIT_MASK)).intValue();
}
String userObjectClass = currentConfig.getUserObjectClass();
if (config.get(ADConstants.CONFIG_USER_OBJECT_CLASS) != null) {
userObjectClass = (String)config.get(ADConstants.CONFIG_USER_OBJECT_CLASS);
}
String userNameField = currentConfig.getUserNameField();
if (config.get(ADConstants.CONFIG_USER_NAME_FIELD) != null){
userNameField = (String)config.get(ADConstants.CONFIG_USER_NAME_FIELD);
}
String userEnabledAttribute = currentConfig.getUserEnabledAttribute();
if (config.get(ADConstants.CONFIG_USER_ENABLED_ATTRIBUTE) != null){
userEnabledAttribute = (String)config.get(ADConstants.CONFIG_USER_ENABLED_ATTRIBUTE);
}
String groupObjectClass = currentConfig.getGroupObjectClass();
if (config.get(ADConstants.CONFIG_GROUP_OBJECT_CLASS)!= null){
groupObjectClass = (String)config.get(ADConstants.CONFIG_GROUP_OBJECT_CLASS);
}
String groupNameField = currentConfig.getGroupNameField();
if (config.get(ADConstants.CONFIG_GROUP_NAME_FIELD) != null){
groupNameField = (String)config.get(ADConstants.CONFIG_GROUP_NAME_FIELD);
}
List<Identity> identities = currentConfig.getAllowedIdentities();
String accessModeInConfig = (String)config.get(AbstractTokenUtil.ACCESSMODE);
if (config.get(ADConstants.CONFIG_ALLOWED_IDENTITIES) != null && accessModeInConfig != null
&& (AbstractTokenUtil.isRestrictedAccess(accessModeInConfig) || AbstractTokenUtil.isRequiredAccess(accessModeInConfig))) {
identities = adIdentityProvider.getIdentities((List<Map<String, String>>) config.get(ADConstants.CONFIG_ALLOWED_IDENTITIES));
}
String groupDNField = currentConfig.getGroupDNField();
if (config.get(ADConstants.CONFIG_GROUP_DN_FIELD) != null){
groupDNField = (String)config.get(ADConstants.CONFIG_GROUP_DN_FIELD);
}
String groupMemberUserAttribute = currentConfig.getGroupMemberUserAttribute();
if (config.get(ADConstants.CONFIG_GROUP_MEMBER_USER_ATTRIBUTE) != null){
groupMemberUserAttribute = (String)config.get(ADConstants.CONFIG_GROUP_MEMBER_USER_ATTRIBUTE);
}
return new ADConfig(server, port, userEnabledMaskBit, loginDomain, domain, groupSearchDomain, enabled, accessMode,
serviceAccountUsername, serviceAccountPassword, tls, userSearchField, userLoginField,
userObjectClass, userNameField, userEnabledAttribute, groupSearchField, groupObjectClass, groupNameField,
(Long)config.get(ADConstants.CONFIG_TIMEOUT), identities, groupDNField, groupMemberUserAttribute);
}
@Override
protected Object listInternal(SchemaFactory schemaFactory, String type, Map<Object, Object> criteria, ListOptions options) {
boolean enabled = SecurityConstants.SECURITY.get();
boolean tls = ADConstants.TLS_ENABLED.get();
String server = ADConstants.LDAP_SERVER.get();
String loginDomain = ADConstants.LDAP_LOGIN_DOMAIN.get();
String domain = ADConstants.LDAP_DOMAIN.get();
String groupSearchDomain = ADConstants.LDAP_GROUP_SEARCH_DOMAIN.get();
String accessMode = ADConstants.ACCESS_MODE.get();
String serviceAccountPassword = ADConstants.SERVICE_ACCOUNT_PASSWORD.get();
String serviceAccountUsername = ADConstants.SERVICE_ACCOUNT_USER.get();
String userSearchField = ADConstants.USER_SEARCH_FIELD.get();
String groupSearchField = ADConstants.GROUP_SEARCH_FIELD.get();
String userLoginField = ADConstants.USER_LOGIN_FIELD.get();
int port = ADConstants.LDAP_PORT.get();
int userEnabledMaskBit = ADConstants.USER_DISABLED_BIT_MASK.get();
String userObjectClass = ADConstants.USER_OBJECT_CLASS.get();
String userNameField = ADConstants.USER_NAME_FIELD.get();
String groupObjectClass = ADConstants.GROUP_OBJECT_CLASS.get();
String userEnabledAttribute = ADConstants.USER_ENABLED_ATTRIBUTE.get();
String groupNameField = ADConstants.GROUP_NAME_FIELD.get();
long connectionTimeout = ADConstants.CONNECTION_TIMEOUT.get();
List<Identity> identities = adIdentityProvider.savedIdentities();
String groupDNField = ADConstants.GROUP_DN_FIELD.get();
String groupMemberUserAttribute = ADConstants.GROUP_MEMBER_USER_ATTRIBUTE.get();
return new ADConfig(server, port, userEnabledMaskBit, loginDomain, domain, groupSearchDomain, enabled, accessMode,
serviceAccountUsername, serviceAccountPassword, tls, userSearchField, userLoginField, userObjectClass,
userNameField, userEnabledAttribute, groupSearchField, groupObjectClass, groupNameField,
connectionTimeout, identities, groupDNField, groupMemberUserAttribute);
}
public ADConfig updateCurrentConfig(Map<String, Object> config) {
settingsUtils.changeSetting(ADConstants.ACCESS_MODE_SETTING, config.get(AbstractTokenUtil.ACCESSMODE));
settingsUtils.changeSetting(ADConstants.DOMAIN_SETTING, config.get(ADConstants.CONFIG_DOMAIN));
settingsUtils.changeSetting(ADConstants.GROUP_SEARCH_DOMAIN_SETTING, config.get(ADConstants.CONFIG_GROUP_SEARCH_DOMAIN));
settingsUtils.changeSetting(ADConstants.GROUP_NAME_FIELD_SETTING, config.get(ADConstants.CONFIG_GROUP_NAME_FIELD));
settingsUtils.changeSetting(ADConstants.GROUP_OBJECT_CLASS_SETTING, config.get(ADConstants.CONFIG_GROUP_OBJECT_CLASS));
settingsUtils.changeSetting(ADConstants.GROUP_SEARCH_FIELD_SETTING, config.get(ADConstants.CONFIG_GROUP_SEARCH_FIELD));
settingsUtils.changeSetting(ADConstants.LOGIN_DOMAIN_SETTING, config.get(ADConstants.CONFIG_LOGIN_DOMAIN));
settingsUtils.changeSetting(ADConstants.PORT_SETTING, config.get(ADConstants.CONFIG_PORT));
settingsUtils.changeSetting(ADConstants.SERVER_SETTING, config.get(ADConstants.CONFIG_SERVER));
if(config.get(ADConstants.CONFIG_SERVICE_ACCOUNT_PASSWORD) != null){
settingsUtils.changeSetting(ADConstants.SERVICE_ACCOUNT_PASSWORD_SETTING, config.get(ADConstants.CONFIG_SERVICE_ACCOUNT_PASSWORD));
}
settingsUtils.changeSetting(ADConstants.SERVICE_ACCOUNT_USERNAME_SETTING, config.get(ADConstants.CONFIG_SERVICE_ACCOUNT_USERNAME));
settingsUtils.changeSetting(ADConstants.TLS_SETTING, config.get(ADConstants.CONFIG_TLS));
settingsUtils.changeSetting(ADConstants.USER_DISABLED_BIT_MASK_SETTING, config.get(ADConstants.CONFIG_USER_DISABLED_BIT_MASK));
settingsUtils.changeSetting(ADConstants.USER_ENABLED_ATTRIBUTE_SETTING, config.get(ADConstants.CONFIG_USER_ENABLED_ATTRIBUTE));
settingsUtils.changeSetting(ADConstants.USER_LOGIN_FIELD_SETTING, config.get(ADConstants.CONFIG_USER_LOGIN_FIELD));
settingsUtils.changeSetting(ADConstants.USER_NAME_FIELD_SETTING, config.get(ADConstants.CONFIG_USER_NAME_FIELD));
settingsUtils.changeSetting(ADConstants.USER_OBJECT_CLASS_SETTING, config.get(ADConstants.CONFIG_USER_OBJECT_CLASS));
settingsUtils.changeSetting(ADConstants.USER_SEARCH_FIELD_SETTING, config.get(ADConstants.CONFIG_USER_SEARCH_FIELD));
settingsUtils.changeSetting(ADConstants.TIMEOUT_SETTING, config.get(ADConstants.CONFIG_TIMEOUT));
settingsUtils.changeSetting(SecurityConstants.SECURITY_SETTING, config.get(ADConstants.CONFIG_SECURITY));
if (config.get(ADConstants.CONFIG_SECURITY) != null){
settingsUtils.changeSetting(SecurityConstants.AUTH_PROVIDER_SETTING, ADConstants.CONFIG);
} else {
settingsUtils.changeSetting(SecurityConstants.AUTH_PROVIDER_SETTING, SecurityConstants.NO_PROVIDER);
}
String accessModeInConfig = (String)config.get(AbstractTokenUtil.ACCESSMODE);
if (AbstractTokenUtil.isRestrictedAccess(accessModeInConfig) || AbstractTokenUtil.isRequiredAccess(accessModeInConfig)) {
//validate the allowedIdentities
@SuppressWarnings("unchecked")
String ids = adIdentityProvider.validateIdentities((List<Map<String, String>>) config.get(ADConstants.CONFIG_ALLOWED_IDENTITIES));
settingsUtils.changeSetting(ADConstants.ALLOWED_IDENTITIES_SETTING, ids);
} else if (AbstractTokenUtil.isUnrestrictedAccess(accessModeInConfig)) {
//clear out the allowedIdentities Set
settingsUtils.changeSetting(ADConstants.ALLOWED_IDENTITIES_SETTING, null);
}
return currentLdapConfig(config);
}
public String getName() {
return ADConstants.MANAGER;
}
}