usergrid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From g...@apache.org
Subject [4/9] incubator-usergrid git commit: When provisioning a local user for a valid external token, create all organizations listed in the user's Access Info object. Also: prevent Admin Users from logging in when external token validation is enabled.
Date Thu, 16 Apr 2015 18:09:28 GMT
When provisioning a local user for a valid external token, create all organizations listed
in the user's Access Info object. Also: prevent Admin Users from logging in when external
token validation is enabled.


Project: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/commit/9a8d5e07
Tree: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/tree/9a8d5e07
Diff: http://git-wip-us.apache.org/repos/asf/incubator-usergrid/diff/9a8d5e07

Branch: refs/heads/master
Commit: 9a8d5e07822c5bd856f2aea2ec87232ad8888307
Parents: 27757b3
Author: Dave Johnson <dmjohnson@apigee.com>
Authored: Wed Apr 15 11:24:52 2015 -0400
Committer: Dave Johnson <dmjohnson@apigee.com>
Committed: Wed Apr 15 11:24:52 2015 -0400

----------------------------------------------------------------------
 .../main/resources/usergrid-default.properties  |  5 ++
 .../rest/management/ManagementResource.java     | 89 ++++++++++++++++----
 2 files changed, 78 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/9a8d5e07/stack/config/src/main/resources/usergrid-default.properties
----------------------------------------------------------------------
diff --git a/stack/config/src/main/resources/usergrid-default.properties b/stack/config/src/main/resources/usergrid-default.properties
index cc4dda6..fe7a945 100644
--- a/stack/config/src/main/resources/usergrid-default.properties
+++ b/stack/config/src/main/resources/usergrid-default.properties
@@ -111,6 +111,11 @@ usergrid.sysadmin.login.allowed=false
 usergrid.sysadmin.approve.users=false
 usergrid.sysadmin.approve.organizations=false
 
+# Base URL of central Usergrid SSO server
+# Setting this will enable external token validation.
+# See also: https://issues.apache.org/jira/browse/USERGRID-567
+usergrid.central.url=
+
 # Where to store temporary files
 usergrid.temp.files=/tmp/usergrid
 

http://git-wip-us.apache.org/repos/asf/incubator-usergrid/blob/9a8d5e07/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
index 27dda53..1bae8eb 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
@@ -18,6 +18,7 @@ package org.apache.usergrid.rest.management;
 
 
 import java.net.URLEncoder;
+import java.util.Iterator;
 import java.util.Map;
 import java.util.UUID;
 
@@ -105,8 +106,25 @@ public class ManagementResource extends AbstractContextResource {
 
     public static final String USERGRID_CENTRAL_URL = "usergrid.central.url";
 
+    private boolean superuserAllowed;
+
+    private boolean externalTokensEnabled;
+
+    private String superuserName;
+
 
     public ManagementResource() {
+
+        String superuserAllowedStr =  properties.getProperty( "usergrid.sysadmin.login.allowed"
);
+
+        superuserName = properties.getProperty( "usergrid.sysadmin.login.name" );
+
+        superuserAllowed = !StringUtils.isEmpty( superuserAllowedStr )
+                && superuserAllowedStr.trim().equalsIgnoreCase( "true" );
+
+        externalTokensEnabled =
+                !StringUtils.isEmpty( properties.getProperty( USERGRID_CENTRAL_URL ));
+
         logger.info( "ManagementResource initialized" );
     }
 
@@ -181,6 +199,17 @@ public class ManagementResource extends AbstractContextResource {
     private Response getAccessTokenInternal( UriInfo ui, String authorization, String grant_type,
String username,
                                              String password, String client_id, String client_secret,
long ttl,
                                              String callback, boolean loadAdminData ) throws
Exception {
+
+
+        // if external tokens are enabled for Usegrid central authentication,
+        // then only the superuser can login via this Usergrid instance.
+        if ( externalTokensEnabled && !username.equalsIgnoreCase( superuserName ))
{
+
+            // cause an HTTP 400 response with a useful message
+            throw  new IllegalArgumentException("Admin Users must login via " +
+                properties.getProperty( USERGRID_CENTRAL_URL ));
+        }
+
         UserInfo user = null;
 
         try {
@@ -481,7 +510,7 @@ public class ManagementResource extends AbstractContextResource {
             throw new NotImplementedException( "External Token Validation Service is not
configured" );
         }
 
-        Object extAccessTokenObj = json.get("ext_access_token");
+        Object extAccessTokenObj = json.get( "ext_access_token" );
         if ( extAccessTokenObj == null ) {
             throw new IllegalArgumentException("ext_access_token must be specified");
         }
@@ -505,9 +534,10 @@ public class ManagementResource extends AbstractContextResource {
     /**
      * <p>
      * Validates access token from other or "external" Usergrid system.
-     * Calls other system's /management/me endpoint to get the User associated with the access
token.
-     * If user does not exist locally, then user and organization with the same name of user
is created.
-     * If no user is returned from the other cluster, then this endpoint will return 401.
+     * Calls other system's /management/me endpoint to get the User
+     * associated with the access token. If user does not exist locally,
+     * then user and organizations will be created. If no user is returned
+     * from the other cluster, then this endpoint will return 401.
      * </p>
      *
      * <p> Part of Usergrid Central SSO feature.
@@ -550,29 +580,55 @@ public class ManagementResource extends AbstractContextResource {
 
         JsonNode userNode = accessInfoNode.get( "user" );
         String username = userNode.get( "username" ).getTextValue();
-        String name     = userNode.get( "name" ).getTextValue();
-        String email    = userNode.get( "email" ).getTextValue();
-
-        // set dummy password to random string that nobody can guess, in SSO setup
-        // admin users should never be able to login directly to this Usergrid system
-        String dummyPassword = RandomStringUtils.randomAlphanumeric( 40 );
 
         // if user does not exist locally then we need to fix that
 
-        final UUID userId;
+        UUID userId = null;
         final OrganizationInfo organizationInfo = management.getOrganizationByName(username);
 
         if ( organizationInfo == null ) {
 
             // create local user and personal organization, activate user.
 
-            OrganizationOwnerInfo ownerOrgInfo = management.createOwnerAndOrganization(
-                    username, username, name, email, dummyPassword, true, true );
-            userId = ownerOrgInfo.getOwner().getUuid();
+            String name     = userNode.get( "name" ).getTextValue();
+            String email    = userNode.get( "email" ).getTextValue();
+
+            // set dummy password to random string that nobody can guess, in SSO setup
+            // admin users should never be able to login directly to this Usergrid system
+            String dummyPassword = RandomStringUtils.randomAlphanumeric( 40 );
+
+            JsonNode orgsNode = userNode.get( "organizations" );
+            final Iterator<String> fieldNames = orgsNode.getFieldNames();
+
+            UserInfo userInfo = null;
+
+            // create user and any organizations that user is supposed to have
+
+            while ( fieldNames.hasNext() ) {
+
+                String orgName = fieldNames.next();
+
+                if ( userId == null ) {
 
-            management.activateOrganization( ownerOrgInfo.getOrganization() );
+                    // haven't created user yet so do that now
+                    OrganizationOwnerInfo ownerOrgInfo = management.createOwnerAndOrganization(
+                            orgName, username, name, email, dummyPassword, true, true );
 
-            applicationCreator.createSampleFor( ownerOrgInfo.getOrganization() );
+                    management.activateOrganization( ownerOrgInfo.getOrganization() ); //
redundant?
+                    applicationCreator.createSampleFor( ownerOrgInfo.getOrganization() );
+
+                    userId = ownerOrgInfo.getOwner().getUuid();
+                    userInfo = ownerOrgInfo.getOwner();
+
+                } else {
+
+                    // already created user, so just create an org
+                    final OrganizationInfo organization = management.createOrganization(
orgName, userInfo, true );
+
+                    management.activateOrganization( organization ); // redundant?
+                    applicationCreator.createSampleFor( organization );
+                }
+            }
 
         } else {
             userId = management.getAdminUserByUsername( username ).getUuid();
@@ -602,6 +658,7 @@ public class ManagementResource extends AbstractContextResource {
         // create URL of central Usergrid's /management/me endpoint
 
         String externalUrl = properties.getProperty( USERGRID_CENTRAL_URL ).trim();
+
         // be lenient about trailing slash
         externalUrl = !externalUrl.endsWith( "/" ) ? externalUrl + "/" : externalUrl;
         String me = externalUrl + "management/me?access_token=" + extAccessToken;


Mime
View raw message