Skip to content
Permalink
Browse files

Merge pull request #202 from sarathmohan4/poc_cicd

Okta auth implementation and refactoring
  • Loading branch information...
sivanag1974 committed Oct 9, 2019
2 parents f35f4d8 + d2d6dfc commit bc2454efa678e3e376194419418f1b261470c64b
Showing with 404 additions and 141 deletions.
  1. +3 −0 dist/src/main/components/hcorp/conf/safeadmin.json
  2. +1 −0 dist/src/main/components/hcorp/conf/selfservicesupport_policy.json
  3. +46 −0 tvaultapi/src/main/java/com/tmobile/cso/vault/api/authentication/LdapAuth.java
  4. +46 −0 tvaultapi/src/main/java/com/tmobile/cso/vault/api/authentication/OktaAuth.java
  5. +47 −0 tvaultapi/src/main/java/com/tmobile/cso/vault/api/authentication/UserPassAuth.java
  6. +42 −0 tvaultapi/src/main/java/com/tmobile/cso/vault/api/authentication/VaultAuth.java
  7. +74 −0 tvaultapi/src/main/java/com/tmobile/cso/vault/api/authentication/VaultAuthFactory.java
  8. +38 −15 tvaultapi/src/main/java/com/tmobile/cso/vault/api/controller/ControllerUtil.java
  9. +3 −2 tvaultapi/src/main/java/com/tmobile/cso/vault/api/process/ResponseTransformer.java
  10. +7 −2 tvaultapi/src/main/java/com/tmobile/cso/vault/api/service/AWSSecretService.java
  11. +15 −43 tvaultapi/src/main/java/com/tmobile/cso/vault/api/service/SafesService.java
  12. +24 −64 tvaultapi/src/main/java/com/tmobile/cso/vault/api/service/ServiceAccountsService.java
  13. +8 −8 tvaultapi/src/main/java/com/tmobile/cso/vault/api/service/VaultAuthService.java
  14. +7 −6 tvaultapi/src/main/java/com/tmobile/cso/vault/api/utils/PolicyUtils.java
  15. +37 −1 tvaultapi/src/main/resources/com/tmobile/cso/vault/api/config/api_config.json
  16. +2 −0 tvaultapi/src/test/java/com/tmobile/cso/vault/api/controller/ControllerUtilTest.java
  17. +2 −0 tvaultapi/src/test/java/com/tmobile/cso/vault/api/service/VaultAuthServiceTest.java
  18. +2 −0 tvaultapi/src/test/java/com/tmobile/cso/vault/api/utils/PolicyUtilsTest.java
@@ -10,6 +10,9 @@
"auth/ldap/*":{
"policy":"write"
},
"auth/okta/*":{
"policy":"write"
},
"auth/aws/*":{
"policy":"write"
},
@@ -4,6 +4,7 @@
"sys/policy/*":{"policy":"write"},
"sys/lease/*":{"policy":"write"},
"auth/ldap/*":{"policy":"write"},
"auth/okta/*":{"policy":"write"},
"auth/aws/*":{"policy":"write"},
"auth/approle/*":{"policy":"write"},
"auth/userpass/*":{"policy":"write"},
@@ -0,0 +1,46 @@
package com.tmobile.cso.vault.api.authentication;

import com.tmobile.cso.vault.api.controller.ControllerUtil;
import com.tmobile.cso.vault.api.process.RequestProcessor;
import com.tmobile.cso.vault.api.process.Response;
import org.springframework.stereotype.Component;

@Component
public class LdapAuth extends VaultAuth {

/**
* Ldap login
* @param jsonStr
* @return
*/
@Override
public Response login(String jsonStr) {
RequestProcessor requestProcessor = getReqProcessor();
return requestProcessor.process("/auth/ldap/login",jsonStr,"");
}

/**
* Read user for ldap backend
* @param jsonStr
* @param token
* @return
*/
@Override
public Response readUser(String jsonStr, String token) {
RequestProcessor requestProcessor = getReqProcessor();
return requestProcessor.process("/auth/ldap/users", jsonStr, token);
}

/**
* Configure user with policies for ldap auth backend
* @param userName
* @param policiesString
* @param groups
* @param token
* @return
*/
@Override
public Response configureUser(String userName, String policiesString, String groups, String token) {
return ControllerUtil.configureLDAPUser(userName,policiesString,groups,token);
}
}
@@ -0,0 +1,46 @@
package com.tmobile.cso.vault.api.authentication;

import com.tmobile.cso.vault.api.controller.ControllerUtil;
import com.tmobile.cso.vault.api.process.RequestProcessor;
import com.tmobile.cso.vault.api.process.Response;
import org.springframework.stereotype.Component;

@Component
public class OktaAuth extends VaultAuth {

/**
* Okta login
* @param jsonStr
* @return
*/
@Override
public Response login(String jsonStr) {
RequestProcessor requestProcessor = getReqProcessor();
return requestProcessor.process("/auth/okta/login", jsonStr,"");
}

/**
* Read user for okta backend
* @param jsonStr
* @param token
* @return
*/
@Override
public Response readUser(String jsonStr, String token) {
RequestProcessor requestProcessor = getReqProcessor();
return requestProcessor.process("/auth/okta/users", jsonStr,token);
}

/**
* Configure user with policies for okta auth backend
* @param userName
* @param policiesString
* @param groups
* @param token
* @return
*/
@Override
public Response configureUser(String userName, String policiesString, String groups, String token) {
return ControllerUtil.configureOktaUser(userName,policiesString,groups,token);
}
}
@@ -0,0 +1,47 @@
package com.tmobile.cso.vault.api.authentication;

import com.tmobile.cso.vault.api.controller.ControllerUtil;
import com.tmobile.cso.vault.api.process.RequestProcessor;
import com.tmobile.cso.vault.api.process.Response;
import org.springframework.stereotype.Component;

@Component
public class UserPassAuth extends VaultAuth {


/**
* Userpass login
* @param jsonStr
* @return
*/
@Override
public Response login(String jsonStr) {
RequestProcessor requestProcessor = getReqProcessor();
return requestProcessor.process("/auth/userpass/login",jsonStr,"");
}

/**
* Read user for userpass auth backend
* @param jsonStr
* @param token
* @return
*/
@Override
public Response readUser(String jsonStr, String token) {
RequestProcessor requestProcessor = getReqProcessor();
return requestProcessor.process("/auth/userpass/users", jsonStr, token);
}

/**
* Configure user with policies for userpass auth backend
* @param userName
* @param policiesString
* @param groups
* @param token
* @return
*/
@Override
public Response configureUser(String userName, String policiesString, String groups, String token) {
return ControllerUtil.configureUserpassUser(userName,policiesString,token);
}
}
@@ -0,0 +1,42 @@
package com.tmobile.cso.vault.api.authentication;

import com.tmobile.cso.vault.api.process.RequestProcessor;
import com.tmobile.cso.vault.api.process.Response;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
public abstract class VaultAuth {

@Autowired
private RequestProcessor reqProcessor;

public RequestProcessor getReqProcessor() {
return reqProcessor;
}

/**
* Vault login
* @param jsonStr
* @return
*/
public abstract Response login(String jsonStr);

/**
* Read user details
* @param jsonStr
* @param token
* @return
*/
public abstract Response readUser(String jsonStr, String token);

/**
* Configure user with policies
* @param userName
* @param policiesString
* @param groups
* @param token
* @return
*/
public abstract Response configureUser(String userName, String policiesString, String groups, String token);
}
@@ -0,0 +1,74 @@
package com.tmobile.cso.vault.api.authentication;

import com.tmobile.cso.vault.api.process.Response;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
public class VaultAuthFactory {

@Value("${vault.auth.method}")
private String vaultAuthMethod;

@Autowired
LdapAuth ldapAuth;

@Autowired
UserPassAuth userPassAuth;

@Autowired
OktaAuth oktaAuth;

/**
* Get vault auth method
* @return
*/
private VaultAuth getAuth() {
VaultAuth vaultAuth;
switch (vaultAuthMethod) {
case "ldap":
vaultAuth = ldapAuth;
break;
case "okta":
vaultAuth = oktaAuth;
break;
default:
vaultAuth = userPassAuth;
break;
}
return vaultAuth;
}

/**
* Perform login for all auth backend
* @param jsonStr
* @return
*/
public Response login(String jsonStr) {
return getAuth().login(jsonStr);
}

/**
* Read user details
* @param userName
* @param token
* @return
*/
public Response readUser(String userName, String token) {
String jsonStr = "{\"username\":\""+userName+"\"}";
return getAuth().readUser(jsonStr, token);
}

/**
* Configure user with policies
* @param userName
* @param policiesString
* @param groups
* @param token
* @return
*/
public Response configureUser(String userName, String policiesString, String groups, String token) {
return getAuth().configureUser(userName,policiesString,groups,token);
}
}
@@ -36,6 +36,7 @@

import javax.annotation.PostConstruct;

import com.tmobile.cso.vault.api.authentication.VaultAuthFactory;
import com.tmobile.cso.vault.api.model.*;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang3.ArrayUtils;
@@ -115,6 +116,13 @@ public void setreqProcessor(RequestProcessor reqProcessor) {
ControllerUtil.reqProcessor = reqProcessor;
}

private static VaultAuthFactory vaultAuthFactory;

@Autowired(required = true)
public void setTvaultAuthFactory(VaultAuthFactory vaultAuthFactory) {
ControllerUtil.vaultAuthFactory = vaultAuthFactory;
}

/**
* Method to get requestProcessor
* @return
@@ -407,6 +415,33 @@ public static Response configureLDAPUser(String userName,String policies,String
return reqProcessor.process("/auth/ldap/users/configure",ldapUserConfigJson,token);
}

public static Response configureOktaUser(String userName,String policies,String groups,String token ){
log.error(JSONUtil.getJSON(ImmutableMap.<String, String>builder().
put(LogMessage.USER, ThreadLocalContext.getCurrentMap().get(LogMessage.USER).toString()).
put(LogMessage.ACTION, "configureOktaUser").
put(LogMessage.MESSAGE, String.format ("Trying configureOktaUser with username [%s] policies [%s] and groups [%s] ", userName, policies, groups)).
put(LogMessage.APIURL, ThreadLocalContext.getCurrentMap().get(LogMessage.APIURL).toString()).
build()));
ObjectMapper objMapper = new ObjectMapper();
Map<String,String>configureUserMap = new HashMap<String,String>();
configureUserMap.put("username", userName);
configureUserMap.put("policies", policies);
configureUserMap.put("groups", groups);
String oktaUserConfigJson ="";
try {
oktaUserConfigJson = objMapper.writeValueAsString(configureUserMap);
} catch (JsonProcessingException e) {
log.error(e);
log.error(JSONUtil.getJSON(ImmutableMap.<String, String>builder().
put(LogMessage.USER, ThreadLocalContext.getCurrentMap().get(LogMessage.USER).toString()).
put(LogMessage.ACTION, "configureLDAPUser").
put(LogMessage.MESSAGE, String.format ("Unable to create oktaUserConfigJson [%s] with username [%s] policies [%s] and groups [%s] ", e.getMessage(), userName, policies, groups)).
put(LogMessage.APIURL, ThreadLocalContext.getCurrentMap().get(LogMessage.APIURL).toString()).
build()));
}
return reqProcessor.process("/auth/okta/users/configure",oktaUserConfigJson,token);
}

public static Response configureUserpassUser(String userName,String policies,String token ){
ObjectMapper objMapper = new ObjectMapper();
Map<String,String>configureUserMap = new HashMap<String,String>();
@@ -815,13 +850,8 @@ public static void updateUserPolicyAssociationOnSDBDelete(String sdb,Map<String,
ObjectMapper objMapper = new ObjectMapper();
for(String userName : users){

Response userResponse;
if (TVaultConstants.USERPASS.equals(vaultAuthMethod)) {
userResponse = reqProcessor.process("/auth/userpass/read","{\"username\":\""+userName+"\"}",token);
}
else {
userResponse = reqProcessor.process("/auth/ldap/users","{\"username\":\""+userName+"\"}",token);
}
Response userResponse = vaultAuthFactory.readUser(userName, token);

String responseJson="";
String groups="";
List<String> policies = new ArrayList<>();
@@ -859,14 +889,7 @@ public static void updateUserPolicyAssociationOnSDBDelete(String sdb,Map<String,
put(LogMessage.MESSAGE, String.format ("Current policies [%s]", policies )).
put(LogMessage.APIURL, ThreadLocalContext.getCurrentMap().get(LogMessage.APIURL).toString()).
build()));
if (TVaultConstants.USERPASS.equals(vaultAuthMethod)) {
log.debug ("Inside userpass");
ControllerUtil.configureUserpassUser(userName,policiesString,token);
}
else {
log.debug ("Inside non-userpass");
ControllerUtil.configureLDAPUser(userName,policiesString,groups,token);
}
vaultAuthFactory.configureUser(userName,policiesString,groups,token);
}

}
@@ -38,7 +38,8 @@ public void transform(ApiConfig apiConfig,Map<String, Object> responseparams,Str
case "/auth/ldap/login":
case "/auth/userpass/login":
case "/auth/approle/login":
case "/auth/aws/login":{
case "/auth/aws/login":
case "/auth/okta/login":{
fetchSDBPaths(responseparams,token);
break;
}
@@ -95,7 +96,7 @@ private void fetchSDBPaths (Map<String, Object> responseparams,String token){
}
}
responseparams.put("access", accessMap);
if(policies.contains("safeadmin")){
if(policies.contains("safeadmin") || policies.contains("safeadmin_okta")){
responseparams.put("admin", "yes");
}else{
responseparams.put("admin", "no");

0 comments on commit bc2454e

Please sign in to comment.
You can’t perform that action at this time.