Repository: cloudstack Updated Branches: refs/heads/saml2 [created] 5463fbb62
SAML2: add saml sso and slo apicmds skeleton, add classes to AuthManager Signed-off-by: Rohit Yadav <rohit.ya...@shapeblue.com> Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5463fbb6 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5463fbb6 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5463fbb6 Branch: refs/heads/saml2 Commit: 5463fbb6269cd94c79ac6e5a496b9b164dcb2b76 Parents: ae207be Author: Rohit Yadav <rohit.ya...@shapeblue.com> Authored: Tue Aug 12 13:10:05 2014 +0200 Committer: Rohit Yadav <rohit.ya...@shapeblue.com> Committed: Tue Aug 12 13:11:14 2014 +0200 ---------------------------------------------------------------------- .../org/apache/cloudstack/api/ApiConstants.java | 1 + .../api/auth/APIAuthenticationManagerImpl.java | 2 + .../api/auth/SAML2LoginAPIAuthenticatorCmd.java | 94 ++++++++++++++++++++ .../auth/SAML2LogoutAPIAuthenticatorCmd.java | 71 +++++++++++++++ 4 files changed, 168 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5463fbb6/api/src/org/apache/cloudstack/api/ApiConstants.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/ApiConstants.java b/api/src/org/apache/cloudstack/api/ApiConstants.java index f89aa14..6baa95c 100755 --- a/api/src/org/apache/cloudstack/api/ApiConstants.java +++ b/api/src/org/apache/cloudstack/api/ApiConstants.java @@ -514,6 +514,7 @@ public class ApiConstants { public static final String VMPROFILE_ID = "vmprofileid"; public static final String VMGROUP_ID = "vmgroupid"; public static final String CS_URL = "csurl"; + public static final String IDP_URL = "idpurl"; public static final String SCALEUP_POLICY_IDS = "scaleuppolicyids"; public static final String SCALEDOWN_POLICY_IDS = "scaledownpolicyids"; public static final String SCALEUP_POLICIES = "scaleuppolicies"; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5463fbb6/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java b/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java index 886d277..ece2e03 100644 --- a/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java +++ b/server/src/com/cloud/api/auth/APIAuthenticationManagerImpl.java @@ -57,6 +57,8 @@ public class APIAuthenticationManagerImpl extends ManagerBase implements APIAuth s_commandList = new ArrayList<Class<?>>(); s_commandList.add(DefaultLoginAPIAuthenticatorCmd.class); s_commandList.add(DefaultLogoutAPIAuthenticatorCmd.class); + s_commandList.add(SAML2LoginAPIAuthenticatorCmd.class); + s_commandList.add(SAML2LogoutAPIAuthenticatorCmd.class); } return s_commandList; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5463fbb6/server/src/com/cloud/api/auth/SAML2LoginAPIAuthenticatorCmd.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/auth/SAML2LoginAPIAuthenticatorCmd.java b/server/src/com/cloud/api/auth/SAML2LoginAPIAuthenticatorCmd.java new file mode 100644 index 0000000..beba4f1 --- /dev/null +++ b/server/src/com/cloud/api/auth/SAML2LoginAPIAuthenticatorCmd.java @@ -0,0 +1,94 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package com.cloud.api.auth; + +import com.cloud.user.Account; +import org.apache.cloudstack.api.APICommand; +import org.apache.cloudstack.api.ApiConstants; +import org.apache.cloudstack.api.ApiErrorCode; +import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.Parameter; +import org.apache.cloudstack.api.ServerApiException; +import org.apache.cloudstack.api.response.LoginCmdResponse; +import org.apache.log4j.Logger; + +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import java.io.IOException; +import java.util.Map; + +@APICommand(name = "samlsso", description = "SP initiated SAML Single Sign On", requestHasSensitiveInfo = true, responseObject = LoginCmdResponse.class, entityType = {}) +public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthenticator { + public static final Logger s_logger = Logger.getLogger(SAML2LoginAPIAuthenticatorCmd.class.getName()); + private static final String s_name = "loginresponse"; + + ///////////////////////////////////////////////////// + //////////////// API parameters ///////////////////// + ///////////////////////////////////////////////////// + @Parameter(name = ApiConstants.IDP_URL, type = CommandType.STRING, description = "Identity Provider SSO HTTP-Redirect binding URL", required = true) + private String idpUrl; + + ///////////////////////////////////////////////////// + /////////////////// Accessors /////////////////////// + ///////////////////////////////////////////////////// + + public String getIdpUrl() { + return idpUrl; + } + + ///////////////////////////////////////////////////// + /////////////// API Implementation/////////////////// + ///////////////////////////////////////////////////// + + @Override + public String getCommandName() { + return s_name; + } + + @Override + public long getEntityOwnerId() { + return Account.ACCOUNT_TYPE_NORMAL; + } + + @Override + public void execute() throws ServerApiException { + // We should never reach here + throw new ServerApiException(ApiErrorCode.METHOD_NOT_ALLOWED, "This is an authentication api, cannot be used directly"); + } + + @Override + public String authenticate(String command, Map<String, Object[]> params, HttpSession session, String remoteAddress, String responseType, StringBuilder auditTrailSb, final HttpServletResponse resp) throws ServerApiException { + + String response = null; + try { + resp.sendRedirect(getIdpUrl()); + + // TODO: create and send assertion with the URL as GET params + + } catch (IOException e) { + auditTrailSb.append("SP initiated SAML authentication using HTTP redirection failed:"); + auditTrailSb.append(e.getMessage()); + } + return response; + } + + @Override + public APIAuthenticationType getAPIType() { + return APIAuthenticationType.LOGIN_API; + } +} http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5463fbb6/server/src/com/cloud/api/auth/SAML2LogoutAPIAuthenticatorCmd.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/auth/SAML2LogoutAPIAuthenticatorCmd.java b/server/src/com/cloud/api/auth/SAML2LogoutAPIAuthenticatorCmd.java new file mode 100644 index 0000000..9119588 --- /dev/null +++ b/server/src/com/cloud/api/auth/SAML2LogoutAPIAuthenticatorCmd.java @@ -0,0 +1,71 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. +package com.cloud.api.auth; + +import com.cloud.api.response.ApiResponseSerializer; +import com.cloud.user.Account; +import org.apache.cloudstack.api.APICommand; +import org.apache.cloudstack.api.ApiErrorCode; +import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.ServerApiException; +import org.apache.cloudstack.api.response.LogoutCmdResponse; +import org.apache.log4j.Logger; + +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import java.util.Map; + +@APICommand(name = "samlslo", description = "SAML Single Log Out API", responseObject = LogoutCmdResponse.class, entityType = {}) +public class SAML2LogoutAPIAuthenticatorCmd extends BaseCmd implements APIAuthenticator { + public static final Logger s_logger = Logger.getLogger(SAML2LogoutAPIAuthenticatorCmd.class.getName()); + private static final String s_name = "logoutresponse"; + + ///////////////////////////////////////////////////// + /////////////// API Implementation/////////////////// + ///////////////////////////////////////////////////// + + @Override + public String getCommandName() { + return s_name; + } + + @Override + public long getEntityOwnerId() { + return Account.ACCOUNT_TYPE_NORMAL; + } + + @Override + public void execute() throws ServerApiException { + // We should never reach here + throw new ServerApiException(ApiErrorCode.METHOD_NOT_ALLOWED, "This is an authentication api, cannot be used directly"); + } + + @Override + public String authenticate(String command, Map<String, Object[]> params, HttpSession session, String remoteAddress, String responseType, StringBuilder auditTrailSb, final HttpServletResponse resp) throws ServerApiException { + auditTrailSb.append("=== Logging out ==="); + // TODO: check global config and do either local or global log out + LogoutCmdResponse response = new LogoutCmdResponse(); + response.setDescription("success"); + response.setResponseName(getCommandName()); + return ApiResponseSerializer.toSerializedString(response, responseType); + } + + @Override + public APIAuthenticationType getAPIType() { + return APIAuthenticationType.LOGOUT_API; + } +}
