cf-uaac 1.3.0

data/lib/cli/group.rb

@@ -0,0 +1,85 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'set'
+require 'cli/common'
+require 'uaa'
+
+module CF::UAA
+
+class GroupCli < CommonCli
+
+  topic "Groups", "group"
+
+  def gname(name) name || ask("Group name") end
+
+  desc "groups [filter]", "List groups", :attrs, :start, :count do |filter|
+    pp scim_request { |ua|
+      query = { attributes: opts[:attrs], filter: filter }
+      opts[:start] || opts[:count] ?
+        ua.query_groups(query.merge!(startIndex: opts[:start], count: opts[:count])):
+        ua.all_pages(:group, query)
+    }
+  end
+
+  desc "group get [name]", "Get specific group information" do |name|
+    pp scim_request { |ua| ua.get(:group, ua.id(:group, gname(name))) }
+  end
+
+  desc "group add [name]", "Adds a group" do |name|
+    pp scim_request { |ua| ua.add(:group, displayName: gname(name)) }
+  end
+
+  desc "group delete [name]", "Delete group" do |name|
+    pp scim_request { |ua| 
+      ua.delete(:delete, ua.id(:group, gname(name)))
+      "success" 
+    }
+  end
+
+  def id_set(objs)
+    objs.each_with_object(Set.new) {|o, s| 
+      s << (o.is_a?(String)? o: (o["id"] || o["value"]))
+    }
+  end
+
+  desc "member add [name] [members...]", "add members to a group" do |name, *members|
+    pp scim_request { |ua|
+      group = ua.get(:group, ua.id(:group, gname(name)))
+      old_ids = id_set(group["members"] || [])
+      new_ids = id_set(ua.ids(:user, *members))
+      raise "not all members found, none added" unless new_ids.size == members.size
+      group["members"] = (old_ids + new_ids).to_a
+      raise "no new members given" unless group["members"].size > old_ids.size
+      ua.put(:group, group)
+      "success"
+    }
+  end
+
+  desc "member delete [name] [members...]", "remove members from a group" do |name, *members|
+    pp scim_request { |ua|
+      group = ua.get(:group, ua.id(:group, gname(name)))
+      old_ids = id_set(group["members"] || [])
+      new_ids = id_set(ua.ids(:user, *members))
+      raise "not all members found, none deleted" unless new_ids.size == members.size
+      group["members"] = (old_ids - new_ids).to_a
+      raise "no existing members to delete" unless group["members"].size < old_ids.size
+      group.delete("members") if group["members"].empty?
+      ua.put(:group, group)
+      "success"
+    }
+  end
+
+end
+
+end

data/lib/cli/info.rb

@@ -0,0 +1,54 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'cli/common'
+require 'uaa'
+
+module CF::UAA
+
+class InfoCli < CommonCli
+
+  topic "System Information", "sys", "info"
+
+  def misc_request(&blk) Config.target ? handle_request(&blk) : gripe("target not set") end
+
+  desc "info", "get information about current target" do
+    pp misc_request { update_target_info(Misc.server(Config.target)) }
+  end
+
+  desc "me", "get authenticated user information" do
+    pp misc_request { Misc.whoami Config.target, auth_header }
+  end
+
+  desc "prompts", "Show prompts for credentials required for implicit grant post" do
+    pp misc_request { update_target_info(Misc.server(Config.target))['prompts'] }
+  end
+
+  desc "signing key", "get the UAA's token signing key(s)", :client, :secret do
+    info = misc_request { Misc.validation_key(Config.target, 
+        (clientname if opts.key?(:client)), (clientsecret if opts.key?(:client))) }
+    Config.target_opts(signing_alg: info['alg'], signing_key: info['value'])
+    pp info
+  end
+
+  desc "stats", "Show UAA's current usage statistics", :client, :secret do
+    pp misc_request { Misc.varz(Config.target, clientname, clientsecret) }
+  end
+
+  desc "password strength [password]", "calculate strength score of a password" do |pwd|
+    pp misc_request { Misc.password_strength(Config.target, userpwd(pwd)) }
+  end
+
+end
+
+end

data/lib/cli/runner.rb

@@ -0,0 +1,52 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'cli/common'
+require 'cli/token'
+require 'cli/user'
+require 'cli/group'
+require 'cli/info'
+require 'cli/client_reg'
+
+module CF::UAA
+
+class Cli < BaseCli
+  @overview = "UAA Command Line Interface"
+  @topics = [MiscCli, InfoCli, TokenCli, UserCli, GroupCli, ClientCli]
+  @global_options = [:help, :version, :debug, :trace, :config]
+
+  def self.configure(config_file = "", input = $stdin, output = $stdout, 
+      print_on_trace = false)
+    @config_file, @input, @output = config_file, input, output
+    @print_on_trace = print_on_trace
+    self
+  end
+
+  def self.too_many_args(cmd)
+    @output.puts "\nToo many command line parameters given."
+    run cmd.unshift("help")
+  end
+
+  def self.preprocess_options(args, opts)
+    return args.replace(["version"]) if opts[:version]
+    return args.unshift("help") if args.empty? || opts[:help] && args[0] != "version"
+    Config.load(opts[:config] || @config_file) if opts.key?(:config) || !Config.loaded?
+    [:trace, :debug].each do |k|
+      opts[k] = true if !opts.key?(k) && Config.target && Config.context && Config.value(k)
+    end
+    Misc.logger = Util.default_logger(opts[:trace]? :trace: opts[:debug]? :debug: :warn, @output)
+  end
+
+end
+
+end

data/lib/cli/token.rb

@@ -0,0 +1,217 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'cli/common'
+require 'launchy'
+require 'uaa'
+require 'stub/server'
+
+module CF::UAA
+
+class TokenCatcher < Stub::Base
+
+  def process_grant(data)
+    server.logger.debug "processing grant for path #{request.path}"
+    secret = server.info.delete(:client_secret)
+    ti = TokenIssuer.new(Config.target, server.info.delete(:client_id), secret,
+        Config.target_value(:token_target))
+    tkn = secret ? ti.authcode_grant(server.info.delete(:uri), data) :
+        ti.implicit_grant(server.info.delete(:uri), data)
+    server.info.update(Util.hash_keys!(tkn.info, :tosym))
+    reply.text "you are now logged in and can close this window"
+  rescue TargetError => e
+    reply.text "#{e.message}:\r\n#{JSON.pretty_generate(e.info)}\r\n#{e.backtrace}"
+  rescue Exception => e
+    reply.text "#{e.message}\r\n#{e.backtrace}"
+  ensure
+    server.logger.debug "reply: #{reply.body}"
+  end
+
+  route :get, '/favicon.ico' do
+    reply.headers['content-type'] = "image/vnd.microsoft.icon"
+    reply.body = File.read File.expand_path(File.join(__FILE__, '..', 'favicon.ico'))
+  end
+
+  route :get, %r{^/authcode\?(.*)$} do process_grant match[1] end
+  route :post, '/callback' do process_grant request.body end
+  route :get, '/callback' do
+    server.logger.debug "caught redirect back from UAA after authentication"
+    reply.headers['content-type'] = "text/html"
+    reply.body = <<-HTML.gsub(/^ +/, '')
+      <html><body><script type="text/javascript">
+      var fragment = location.hash.substring(1);
+      var req = new XMLHttpRequest();
+      //document.write(fragment + "<br><br>");
+      req.open('POST', "/callback", false);
+      req.setRequestHeader("Content-type","application/x-www-form-urlencoded");
+      req.send(fragment);
+      document.write(req.responseText);
+      </script></body></html>
+    HTML
+  end
+end
+
+class TokenCli < CommonCli
+
+  topic "Tokens", "token", "login"
+
+  def say_success(grant)
+    say "\nSuccessfully fetched token via a #{grant} grant.\nTarget: #{Config.target}\nContext: #{Config.context}\n"
+  end
+
+  def issuer_request(client_id, secret = nil)
+    update_target_info
+    yield TokenIssuer.new(Config.target.to_s, client_id, secret, Config.target_value(:token_endpoint))
+  rescue Exception => e
+    complain e
+  end
+
+  define_option :client, "--client <name>", "-c"
+  define_option :scope, "--scope <list>"
+  desc "token get [credentials...]",
+      "Gets a token by posting user credentials with an implicit grant request",
+      :client, :scope do |*args|
+    client_name = opts[:client] || "vmc"
+    token = issuer_request(client_name, "") { |ti|
+      prompts = ti.prompts
+      creds = {}
+      prompts.each do |k, v|
+        if arg = args.shift
+          creds[k] = arg
+        elsif v[0] == "text"
+          creds[k] = ask(v[1])
+        elsif v[0] == "password"
+          creds[k] = ask_pwd v[1]
+        else
+          raise "Unknown prompt type \"#{v[0]}\" received from #{Context.target}"
+        end
+      end
+      ti.implicit_grant_with_creds(creds, opts[:scope]).info
+    }
+    return gripe "attempt to get token failed\n" unless token && token["access_token"]
+    tokinfo = TokenCoder.decode(token["access_token"], nil, nil, false)
+    Config.context = tokinfo["user_name"]
+    Config.add_opts(user_id: tokinfo["user_id"])
+    Config.add_opts token
+    say_success "implicit (with posted credentials)"
+  end
+
+  define_option :secret, "--secret <secret>", "-s", "client secret"
+  desc "token client get [name]",
+      "Gets a token with client credentials grant", :secret, :scope do |id|
+    id = clientname(id)
+    return unless info = issuer_request(id, clientsecret) { |ti|
+      ti.client_credentials_grant(opts[:scope]).info
+    }
+    Config.context = id
+    Config.add_opts info
+    say_success "client credentials"
+  end
+
+  define_option :password, "-p", "--password <password>", "user password"
+  desc "token owner get [client] [user]", "Gets a token with a resource owner password grant",
+      :secret, :password, :scope do |client, user|
+    return unless info = issuer_request(clientname(client), clientsecret) { |ti|
+        ti.owner_password_grant(user = username(user), userpwd, opts[:scope]).info
+    }
+    Config.context = user
+    Config.add_opts info
+    say_success "owner password"
+  end
+
+  desc "token refresh [refreshtoken]", "Gets a new access token from a refresh token", :client, :secret, :scope do |rtok|
+    rtok ||= Config.value(:refresh_token)
+    Config.add_opts issuer_request(clientname, clientsecret) { |ti| ti.refresh_token_grant(rtok, opts[:scope]).info }
+    say_success "refresh"
+  end
+
+  VMC_TOKEN_FILE = File.join ENV["HOME"], ".vmc_token"
+  VMC_TARGET_FILE = File.join ENV["HOME"], ".vmc_target"
+
+  def use_browser(client_id, secret = nil)
+    catcher = Stub::Server.new(TokenCatcher,
+        Util.default_logger(debug? ? :debug : trace? ? :trace : :info),
+        client_id: client_id, client_secret: secret).run_on_thread("localhost", opts[:port])
+    uri = issuer_request(client_id, secret) { |ti|
+      secret ? ti.authcode_uri("#{catcher.url}/authcode", opts[:scope]) :
+          ti.implicit_uri("#{catcher.url}/callback", opts[:scope])
+    }
+    return unless catcher.info[:uri] = uri
+    say "launching browser with #{uri}" if trace?
+    Launchy.open(uri, debug: true, dry_run: false)
+    print "waiting for token "
+    while catcher.info[:uri] || !catcher.info[:access_token]
+      sleep 5
+      print "."
+    end
+    Config.context = TokenCoder.decode(catcher.info[:access_token], nil, nil, false)[:user_name]
+    Config.add_opts catcher.info
+    say_success secret ? "authorization code" : "implicit"
+    return unless opts[:vmc]
+    begin
+      vmc_target = File.open(VMC_TARGET_FILE, 'r') { |f| f.read.strip }
+      tok_json = File.open(VMC_TOKEN_FILE, 'r') { |f| f.read } if File.exists?(VMC_TOKEN_FILE)
+      vmc_tokens = Util.json_parse(tok_json, :none) || {}
+      vmc_tokens[vmc_target] = auth_header
+      File.open(VMC_TOKEN_FILE, 'w') { |f| f.write(vmc_tokens.to_json) }
+    rescue Exception => e
+      gripe "\nUnable to save token to vmc token file"
+      complain e
+    end
+  end
+
+  define_option :port, "--port <number>", "pin internal server to specific port"
+  define_option :vmc, "--[no-]vmc", "save token in the ~/.vmc_tokens file"
+  desc "token authcode get", "Gets a token using the authcode flow with browser",
+      :client, :secret, :scope, :vmc, :port do use_browser(clientname, clientsecret) end
+
+  desc "token implicit get", "Gets a token using the implicit flow with browser",
+      :client, :scope, :vmc, :port do use_browser opts[:client] || "vmc" end
+
+  define_option :key, "--key <key>", "Token validation key"
+  desc "token decode [token] [tokentype]", "Show token contents as parsed locally or by the UAA. " +
+   "Decodes locally unless --client and --secret are given. Validates locally if --key given or server's signing key has been retrieved",
+      :key, :client, :secret do |token, ttype|
+    ttype = "bearer" if token && !ttype
+    token ||= Config.value(:access_token)
+    ttype ||= Config.value(:token_type)
+    return say "no token to decode" unless token && ttype
+    handle_request do
+      if opts[:client] && opts[:secret]
+        pp Misc.decode_token(Config.target, opts[:client], opts[:secret], token, ttype)
+      else
+		seckey = opts[:key] || (Config.target_value(:signing_key) if Config.target_value(:signing_alg) !~ /rsa$/i)
+		pubkey = opts[:key] || (Config.target_value(:signing_key) if Config.target_value(:signing_alg) =~ /rsa$/i)
+        info = TokenCoder.decode(token, seckey, pubkey, seckey || pubkey)
+        say seckey || pubkey ? "\nValid token signature\n\n": "\nNote: no key given to validate token signature\n\n"
+        pp info
+      end
+    end
+  end
+
+  define_option :all, "--[no-]all", "remove all contexts"
+  desc "token delete [contexts...]",
+      "Delete current or specified context tokens and settings", :all do |*args|
+    begin
+      return Config.delete if opts[:all]
+      return args.each { |arg| Config.delete(Config.target, arg.to_i.to_s == arg ? arg.to_i : arg) } unless args.empty?
+      return Config.delete(Config.target, Config.context) if Config.context
+      say "no target set, no contexts given -- nothing to delete"
+    rescue Exception => e
+      complain e
+    end
+  end
+
+end
+
+end

data/lib/cli/user.rb

@@ -0,0 +1,108 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'cli/common'
+
+module CF::UAA
+
+class UserCli < CommonCli
+
+  topic "User Accounts", "account"
+
+  define_option :givenName, "--given_name <name>"
+  define_option :familyName, "--family_name <name>"
+  define_option :emails, "--emails <addresses>"
+  define_option :phoneNumbers, "--phones <phone_numbers>"
+  USER_INFO_OPTS = [:givenName, :familyName, :emails, :phoneNumbers]
+
+  def user_opts(info = {})
+    [:emails, :phoneNumbers].each do |o|
+      next unless opts[o]
+      info[o] = Util.arglist(opts[o]).each_with_object([]) { |v, a| a << {:value => v} }
+    end
+    n = [:givenName, :familyName].each_with_object({}) { |o, n| n[o] = opts[o] if opts[o] }
+    info[:name] = n unless n.empty?
+    info
+  end
+
+  define_option :attrs, "-a", "--attributes <names>", "output for each user"
+  define_option :start, "--start <number>", "start of output page"
+  define_option :count, "--count <number>", "max number per page"
+  desc "users [filter]", "List user accounts", :attrs, :start, :count do |filter|
+    pp scim_request { |ua|
+      query = { attributes: opts[:attrs], filter: filter }
+      opts[:start] || opts[:count] ?
+        ua.query(:user, query.merge!(startIndex: opts[:start], count: opts[:count])):
+        ua.all_pages(:user, query)
+    }
+  end
+
+  desc "user get [name]", "Get specific user account" do |name|
+    pp scim_request { |ua| ua.get(:user, ua.id(:user, username(name))) }
+  end
+
+  desc "user add [name]", "Add a user account", *USER_INFO_OPTS, :password do |name|
+    info = {userName: username(name), password: verified_pwd("Password", opts[:password])}
+    pp scim_request { |ua| 
+      ua.add(:user, user_opts(info))
+      "user account successfully added" 
+    }
+  end
+
+  define_option :del_attrs, "--del_attrs <attr_names>", "list of attributes to delete"
+  desc "user update [name]", "Update a user account with specified options",
+      *USER_INFO_OPTS, :del_attrs do |name|
+    return say "no user updates specified" if (updates = user_opts).empty?
+    pp scim_request { |ua|
+      info = ua.get(:user, ua.id(:user, username(name)))
+      opts[:del_attrs].each { |a| info.delete(a.to_s) } if opts[:del_attrs]
+      ua.put(:user, info.merge(updates))
+      "user account successfully updated"
+    }
+  end
+
+  desc "user delete [name]", "Delete user account" do |name|
+    pp scim_request { |ua|
+      ua.delete(:user, ua.id(:user, username(name)))
+      "user account successfully deleted"
+    }
+  end
+
+  desc "user ids [username|id...]", "Gets user names and ids for the given users" do |*users|
+    pp scim_request { |ua|
+      users = Util.arglist(ask("names or ids of users")) if !users || users.empty?
+      ids = ua.ids(:user_id, *users)
+      raise NotFound, "no users found" unless ids && ids.length > 0
+      ids
+    }
+  end
+
+  desc "password set [name]", "Set password", :password do |name|
+    pp scim_request { |ua|
+      ua.change_password(ua.id(:user, username(name)), verified_pwd("New password", opts[:password]))
+      "password successfully set"
+    }
+  end
+
+  define_option :old_password, "-o", "--old_password <password>", "current password"
+  desc "password change", "Change password for authenticated user in current context", :old_password, :password do
+    pp scim_request { |ua|
+      oldpwd = opts[:old_password] || ask_pwd("Current password")
+      ua.change_password(Config.value(:user_id), verified_pwd("New password", opts[:password]), oldpwd)
+      "password successfully changed"
+    }
+  end
+
+end
+
+end