Yair Zaslavsky has uploaded a new change for review.
Change subject: aaa: using new extensions API in InternalDirectory
......................................................................
aaa: using new extensions API in InternalDirectory
Topic: AAA
Change-Id: I958443292da0455e0a12039fac98eebb9b17dee2
Signed-off-by: Yair Zaslavsky <yzasl...@redhat.com>
---
A
backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticatorProxy.java
A
backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/DirectoryProxy.java
M
backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalDirectory.java
3 files changed, 304 insertions(+), 75 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/77/26477/1
diff --git
a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticatorProxy.java
b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticatorProxy.java
new file mode 100644
index 0000000..e38f7cd
--- /dev/null
+++
b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/AuthenticatorProxy.java
@@ -0,0 +1,54 @@
+package org.ovirt.engine.core.aaa;
+
+import java.util.Properties;
+
+import org.ovirt.engine.api.extensions.Base;
+import org.ovirt.engine.api.extensions.ExtMap;
+import org.ovirt.engine.api.extensions.aaa.Authn;
+import org.ovirt.engine.api.extensionsold.AAAExtensionException;
+import org.ovirt.engine.core.extensions.mgr.ExtensionProxy;
+
+public class AuthenticatorProxy extends Authenticator {
+
+ private ExtensionProxy extension;
+
+ public AuthenticatorProxy(ExtensionProxy extension) {
+ this.extension = extension;
+ }
+
+ @Override
+ @Deprecated
+ public void init() {
+ }
+
+ @Override
+ @Deprecated
+ public void authenticate(String user, String password) {
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND,
Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
+ ).mput(
+ Authn.InvokeKeys.USER, user
+ ).mput(
+ Authn.InvokeKeys.CREDENTIALS, password
+ );
+ ExtMap outputMap = extension.invoke(inputMap);
+ if (outputMap.<Integer> get(Authn.InvokeKeys.RESULT) ==
Authn.AuthResult.CREDENTIALS_INVALID) {
+ throw new
AAAExtensionException(AAAExtensionException.AAAExtensionError.INCORRECT_CREDENTIALS,
"");
+ }
+ }
+
+ @Override
+ @Deprecated
+ public String getName() {
+ return (String) extension.getContext().<String>
get(Base.ContextKeys.INSTANCE_NAME);
+ }
+
+ @Override
+ @Deprecated
+ public String getProfileName() {
+ return (String) extension.getContext().<Properties>
get(Base.ContextKeys.CONFIGURATION)
+ .getProperty("ovirt.engine.aaa.authn.profile.name");
+ }
+
+}
+
diff --git
a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/DirectoryProxy.java
b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/DirectoryProxy.java
new file mode 100644
index 0000000..66f6f9f
--- /dev/null
+++
b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/DirectoryProxy.java
@@ -0,0 +1,171 @@
+package org.ovirt.engine.core.aaa;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.ovirt.engine.api.extensions.Base;
+import org.ovirt.engine.api.extensions.ExtMap;
+import org.ovirt.engine.api.extensions.aaa.Authn;
+import org.ovirt.engine.api.extensions.aaa.Authz;
+import org.ovirt.engine.core.extensions.mgr.ExtensionProxy;
+
+public class DirectoryProxy extends Directory {
+
+ private ExtensionProxy extension;
+
+ public DirectoryProxy(ExtensionProxy extension) {
+ this.extension = extension;
+ }
+
+ @Deprecated
+ @Override
+ public void init() {
+ }
+
+ @Deprecated
+ @Override
+ public DirectoryUser findUser(String name) {
+ ExtMap authRecord = new ExtMap().mput(
+ Authn.AuthRecord.PRINCIPAL, name);
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND,
Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
+ ).mput(Authn.InvokeKeys.AUTH_RECORD, authRecord);
+ ExtMap outputMap = extension.invoke(inputMap);
+ ExtMap principalRecord =
outputMap.<ExtMap>get(Authz.InvokeKeys.PRINCIPAL_RECORD);
+ if (principalRecord == null) {
+ return null;
+ }
+
+ return mapPrincipalRecord(principalRecord);
+ }
+
+ @Deprecated
+ @Override
+ public DirectoryUser findUserById(String id) {
+ List<DirectoryUser> users = findUsers(Arrays.asList(id));
+ if (users.isEmpty()) {
+ return null;
+ }
+ return users.get(0);
+ }
+
+ @Deprecated
+ @Override
+ public List<DirectoryUser> findUsers(List<String> ids) {
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND,
Authz.InvokeCommands.QUERY_PRINCIPALS_BY_IDS_OPEN
+ ).mput(Authz.InvokeKeys.PRINCIPAL_IDS, ids);
+ ExtMap outputMap = extension.invoke(inputMap);
+ return populateUsers(outputMap);
+ }
+
+ @Deprecated
+ @Override
+ public DirectoryGroup findGroup(String name) {
+ return null;
+ }
+
+ @Deprecated
+ @Override
+ public DirectoryGroup findGroupById(String id) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Deprecated
+ @Override
+ public List<DirectoryUser> queryUsers(String query) {
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND,
Authz.InvokeCommands.QUERY_PRINCIPALS_OPEN
+ ).mput(Authz.InvokeKeys.QUERY, query);
+ ExtMap outputMap = extension.invoke(inputMap);
+ return populateUsers(outputMap);
+ }
+
+ private List<DirectoryUser> populateUsers(ExtMap outputMap) {
+ List<DirectoryUser> directoryUsers = new ArrayList<>();
+ Object queryOpaque = outputMap.get(Authz.InvokeKeys.QUERY_OPAQUE);
+ while (true) {
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND, Authz.InvokeCommands.QUERY_EXECUTE
+ ).mput(Authz.InvokeKeys.QUERY_OPAQUE, queryOpaque);
+ outputMap = extension.invoke(inputMap);
+ ExtMap result = outputMap.get(Authz.InvokeKeys.QUERY_RESULT);
+ queryOpaque = outputMap.get(Authz.InvokeKeys.QUERY_OPAQUE);
+ if (result == null) {
+ break;
+ }
+ directoryUsers.add(mapPrincipalRecord(result));
+ }
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND, Authz.InvokeCommands.QUERY_CLOSE
+ ).mput(Authz.InvokeKeys.QUERY_OPAQUE, queryOpaque);
+ outputMap = extension.invoke(inputMap);
+ return directoryUsers;
+ }
+
+ private List<DirectoryGroup> populateGroups(ExtMap outputMap) {
+ List<DirectoryGroup> directoryGroups = new ArrayList<>();
+ Object queryOpaque = outputMap.get(Authz.InvokeKeys.QUERY_OPAQUE);
+ while (true) {
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND, Authz.InvokeCommands.QUERY_EXECUTE
+ ).mput(Authz.InvokeKeys.QUERY_OPAQUE, queryOpaque);
+ outputMap = extension.invoke(inputMap);
+ ExtMap result = outputMap.get(Authz.InvokeKeys.QUERY_RESULT);
+ queryOpaque = outputMap.get(Authz.InvokeKeys.QUERY_OPAQUE);
+ if (result == null) {
+ break;
+ }
+ directoryGroups.add(mapGroupRecord(result));
+ }
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND, Authz.InvokeCommands.QUERY_CLOSE
+ ).mput(Authz.InvokeKeys.QUERY_OPAQUE, queryOpaque);
+ outputMap = extension.invoke(inputMap);
+ return directoryGroups;
+ }
+
+ @Deprecated
+ @Override
+ public List<DirectoryGroup> queryGroups(String query) {
+ ExtMap inputMap = new ExtMap().mput(
+ Base.InvokeKeys.COMMAND, Authz.InvokeCommands.QUERY_GROUPS_OPEN
+ ).mput(Authz.InvokeKeys.QUERY, query);
+ ExtMap outputMap = extension.invoke(inputMap);
+ return populateGroups(outputMap);
+ }
+
+ private DirectoryUser mapPrincipalRecord(ExtMap principalRecord) {
+ DirectoryUser directoryUser = new DirectoryUser(
+ extension.getContext().<String>
get(Base.ContextKeys.INSTANCE_NAME),
+ principalRecord.<String> get(Authz.PrincipalRecord.NAME),
+ principalRecord.<String> get(Authz.PrincipalRecord.ID)
+ );
+ directoryUser.setDepartment(principalRecord.<String>
get(Authz.PrincipalRecord.DEPARTMENT));
+ directoryUser.setFirstName(principalRecord.<String>
get(Authz.PrincipalRecord.FIRST_NAME));
+ directoryUser.setLastName(principalRecord.<String>
get(Authz.PrincipalRecord.LAST_NAME));
+ directoryUser.setEmail(principalRecord.<String>
get(Authz.PrincipalRecord.EMAIL));
+ directoryUser.setTitle(principalRecord.<String>
get(Authz.PrincipalRecord.TITLE));
+ List<DirectoryGroup> directoryGroups = new ArrayList<DirectoryGroup>();
+ List<ExtMap> groups = principalRecord.<List<ExtMap>>
get(Authz.PrincipalRecord.GROUPS);
+ if (groups != null) {
+ for (ExtMap group : groups) {
+ directoryGroups.add(mapGroupRecord(group));
+ }
+ }
+ return directoryUser;
+ }
+
+ private DirectoryGroup mapGroupRecord(ExtMap group) {
+ DirectoryGroup directoryGroup = new DirectoryGroup(
+ extension.getContext().<String>
get(Base.ContextKeys.INSTANCE_NAME),
+ group.<String> get(Authz.GroupRecord.NAME),
+ group.<String> get(Authz.GroupRecord.ID)
+ );
+ // TODO - groups the group is member of?
+ return directoryGroup;
+ }
+
+}
diff --git
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalDirectory.java
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalDirectory.java
index 997b472..ff4e52f 100644
---
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalDirectory.java
+++
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/internal/InternalDirectory.java
@@ -1,18 +1,20 @@
package org.ovirt.engine.extensions.aaa.builtin.internal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
+import java.util.Arrays;
import java.util.Properties;
-import org.ovirt.engine.core.aaa.Directory;
-import org.ovirt.engine.core.aaa.DirectoryGroup;
-import org.ovirt.engine.core.aaa.DirectoryUser;
+import org.ovirt.engine.api.extensions.Base;
+import org.ovirt.engine.api.extensions.ExtMap;
+import org.ovirt.engine.api.extensions.ExtUUID;
+import org.ovirt.engine.api.extensions.Extension;
+import org.ovirt.engine.api.extensions.aaa.Authz;
+import org.ovirt.engine.api.extensions.aaa.Authz.InvokeCommands;
+import org.ovirt.engine.core.common.utils.Pair;
/**
* This directory contains only the internal user as specified in the {@code
AdminUser} configuration parameter.
*/
-public class InternalDirectory extends Directory {
+public class InternalDirectory implements Extension {
/**
*
*/
@@ -24,87 +26,89 @@
*/
private static final String ADMIN_ID =
"fdfc627c-d875-11e0-90f0-83df133b58cc";
- /**
- * The only user supported by this directory.
- */
- private DirectoryUser admin;
+ private ExtMap context;
- /**
- * {@inheritDoc}
- */
+ private String userName;
+
+ private ExtMap adminUser;
+
@Override
- public DirectoryUser findUser(String name) {
- return getAdminName().equals(name) ? admin : null;
+ public void invoke(ExtMap input, ExtMap output) {
+ try {
+ ExtUUID commandType = input.<ExtUUID> get(Base.InvokeKeys.COMMAND);
+ if (commandType.equals(Base.InvokeCommands.INITIALIZE)) {
+ doInit(input, output);
+ }
+ if
(commandType.equals(Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD)) {
+ doFetchPrincipalOutput(input, output);
+ }
+ if (commandType.equals(Authz.InvokeCommands.QUERY_CLOSE)) {
+ // Do nothing
+ }
+ if
(commandType.equals(Authz.InvokeCommands.QUERY_PRINCIPALS_BY_IDS_OPEN)) {
+ fillOpaque(output, commandType);
+ }
+ if
(commandType.equals(Authz.InvokeCommands.QUERY_PRINCIPALS_OPEN)) {
+ fillOpaque(output, commandType);
+ }
+ if
(commandType.equals(Authz.InvokeCommands.QUERY_GROUPS_BY_IDS_OPEN)) {
+ fillOpaque(output, commandType);
+ }
+ if (commandType.equals(Authz.InvokeCommands.QUERY_EXECUTE)) {
+ doQueryExecute(input, output);
+ }
+
+ output.mput(Base.InvokeKeys.RESULT, Base.InvokeResult.SUCCESS);
+ } catch (Exception ex) {
+ output.mput(Base.InvokeKeys.RESULT, Base.InvokeResult.FAILED);
+ output.mput(Base.InvokeKeys.MESSAGE, ex.getMessage());
+ }
}
- /**
- * {@inheritDoc}
- */
- @Override
- public DirectoryUser findUserById(String id) {
- return ADMIN_ID.equals(id)? admin: null;
- }
- /**
- * {@inheritDoc}
- */
- @Override
- public List<DirectoryUser> findUsers(List<String> ids) {
- List<DirectoryUser> users = new ArrayList<>(ids.size());
- for (String id : ids) {
- DirectoryUser user = findUserById(id);
- if (user != null) {
- users.add(user);
+ private void doQueryExecute(ExtMap input, ExtMap output) {
+ Pair<ExtUUID, Boolean> opaque = input.<Pair<ExtUUID, Boolean>>
get(Authz.InvokeKeys.QUERY_OPAQUE);
+ ExtUUID queryType = opaque.getFirst();
+ boolean firstCall = opaque.getSecond();
+ if (queryType.equals(InvokeCommands.QUERY_PRINCIPALS_BY_IDS_OPEN) ||
queryType.equals(InvokeCommands.QUERY_PRINCIPALS_OPEN)) {
+ // Since there is a single user in the directory, execute
+ if (firstCall) {
+ opaque.setSecond(false);
+ output.mput(
+ Authz.InvokeKeys.QUERY_RESULT, Arrays.asList(adminUser)
+ ).mput(
+ Authz.InvokeKeys.QUERY_OPAQUE, opaque
+ );
+ } else {
+ output.mput(
+ Authz.InvokeKeys.QUERY_RESULT, null
+ ).mput(
+ Authz.InvokeKeys.QUERY_OPAQUE, opaque
+ );
}
}
- return users;
}
- /**
- * {@inheritDoc}
- */
- @Override
- public DirectoryGroup findGroup(String name) {
- return null;
+ private void fillOpaque(ExtMap output, ExtUUID queryType) {
+ output.mput(Authz.InvokeKeys.QUERY_OPAQUE, new Pair<ExtUUID,
Boolean>(queryType, true));
}
- /**
- * {@inheritDoc}
- */
- @Override
- public DirectoryGroup findGroupById(String id) {
- return null;
- }
-
- /**
- * {@inheritDoc}
- */
- @Override
- public List<DirectoryUser> queryUsers(String query) {
- return Collections.singletonList(admin);
- }
-
- /**
- * {@inheritDoc}
- */
- @Override
- public List<DirectoryGroup> queryGroups(String query) {
- return Collections.emptyList();
- }
-
- @Override
- public void init() {
- admin = new DirectoryUser(getName(), ADMIN_ID, getAdminName());
- admin.setAdmin(true);
- context.put(ExtensionProperties.AUTHOR, "The oVirt Project");
- context.put(ExtensionProperties.EXTENSION_NAME, "Internal
Authorization (Built-in)");
- context.put(ExtensionProperties.LICENSE, "ASL 2.0");
- context.put(ExtensionProperties.HOME, "http://www.ovirt.org";);
- context.put(ExtensionProperties.VERSION, "N/A");
+ private void doFetchPrincipalOutput(ExtMap input, ExtMap output) {
+ output.mput(
+ Authz.InvokeKeys.PRINCIPAL_RECORD, adminUser);
}
- private String getAdminName() {
- return ((Properties)
context.get(ExtensionProperties.CONFIGURATION)).getProperty("config.authz.user.name");
+ private void doInit(ExtMap input, ExtMap output) {
+ context = input.<ExtMap> get(Base.InvokeKeys.CONTEXT);
+ context.mput(Base.ContextKeys.CONFIGURATION_SENSITIVE_KEYS,
"config.authn.user.password").
+ mput(Base.ContextKeys.EXTENSION_NAME, "Internal Authorization
(Built-in").
+ mput(Base.ContextKeys.LICENSE, "ASL 2.0").
+ mput(Base.ContextKeys.HOME_URL, "http://www.ovirt.org";).
+ mput(Base.ContextKeys.VERSION, "N/A");
+ userName = context.<Properties>
get(Base.ContextKeys.CONFIGURATION).getProperty("config.authz.user.name");
+ adminUser = new ExtMap().
+ mput(Authz.PrincipalRecord.NAME, userName).
+ mput(Authz.PrincipalRecord.ID, ADMIN_ID);
}
}
--
To view, visit http://gerrit.ovirt.org/26477
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I958443292da0455e0a12039fac98eebb9b17dee2
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
