cf-uaac 3.1.7 → 3.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/cf-uaac.gemspec +1 -1
- data/lib/cli/common.rb +1 -0
- data/lib/cli/group.rb +11 -7
- data/lib/cli/token.rb +9 -0
- data/lib/cli/version.rb +1 -1
- data/lib/stub/scim.rb +7 -6
- data/lib/stub/uaa.rb +18 -7
- data/spec/group_spec.rb +12 -3
- data/spec/token_spec.rb +9 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 99547295a5faebfa3f711aca3078f7b09af3c0c5
|
|
4
|
+
data.tar.gz: 4edaa8921ff9e37db2b03e335dc99f7788f2726c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b5f26510821f4815e381e765ad71970dba95a9b11cb023b1a5f1f390dddedaa7cbc2b544cb291f40cea71368794430c2d7d9ec9ef6118e41eed31d9dcd208681
|
|
7
|
+
data.tar.gz: 7bdccc0fb5a696ca07d34a38351a1017a32e6ebb3ecd415ddc8424ac034a11deeda0b5fdc76312173bf6329d3b74b9f2e9deaade94d551cf21ef30572cf0b892
|
data/cf-uaac.gemspec
CHANGED
|
@@ -39,7 +39,7 @@ Gem::Specification.new do |s|
|
|
|
39
39
|
s.add_development_dependency "simplecov", "~> 0.8.2"
|
|
40
40
|
s.add_development_dependency "simplecov-rcov", "~> 0.2.3"
|
|
41
41
|
s.add_development_dependency "ci_reporter", "~> 1.9.2"
|
|
42
|
-
s.add_runtime_dependency "cf-uaa-lib", "~> 3.
|
|
42
|
+
s.add_runtime_dependency "cf-uaa-lib", "~> 3.4.0"
|
|
43
43
|
s.add_runtime_dependency "highline", "~> 1.6.21"
|
|
44
44
|
s.add_runtime_dependency "eventmachine", "~> 1.0.3"
|
|
45
45
|
s.add_runtime_dependency "launchy", "~> 2.4.2"
|
data/lib/cli/common.rb
CHANGED
|
@@ -31,6 +31,7 @@ class CommonCli < Topic
|
|
|
31
31
|
|
|
32
32
|
def username(name); name || ask("User name") end
|
|
33
33
|
def userpwd(pwd = opts[:password]); pwd || ask_pwd("Password") end
|
|
34
|
+
def passcode(passcode = opts[:passcode]); passcode || ask("Passcode (from #{Config.target}/passcode)") end
|
|
34
35
|
def clientid(id = opts[:client]); id || ask("Client ID") end
|
|
35
36
|
def clientsecret(secret = opts[:secret]); secret || ask_pwd("Client secret") end
|
|
36
37
|
def clientname(name = opts[:name]); name end
|
data/lib/cli/group.rb
CHANGED
|
@@ -63,23 +63,26 @@ class GroupCli < CommonCli
|
|
|
63
63
|
|
|
64
64
|
define_option :id, "--id <id>", "map uaa group using group id"
|
|
65
65
|
define_option :name, "--name <name>", "map uaa scope using group name"
|
|
66
|
-
|
|
66
|
+
define_option :origin, "--origin <origin>", "map uaa scope to external group for this origin. Defaults to ldap."
|
|
67
|
+
desc "group map [external_group]", "Map uaa groups to external groups", :id, :name, :origin do |external_group|
|
|
67
68
|
return gripe "Please provide a group name or id" unless opts[:id] || opts[:name]
|
|
68
69
|
return gripe "Please provide an external group" unless external_group
|
|
69
70
|
|
|
70
71
|
group = opts[:id] ? opts[:id] : opts[:name]
|
|
71
72
|
is_id = opts[:id] ? true : false
|
|
73
|
+
origin = opts[:origin] ? opts[:origin] : 'ldap'
|
|
72
74
|
pp scim_request { |ua|
|
|
73
|
-
response = ua.map_group(group, is_id, external_group)
|
|
75
|
+
response = ua.map_group(group, is_id, external_group, origin)
|
|
74
76
|
raise BadResponse, "no group id found in response of external group mapping" unless response["groupid"]
|
|
75
|
-
"Successfully mapped #{response["displayname"]} to #{external_group}"
|
|
77
|
+
"Successfully mapped #{response["displayname"]} to #{external_group} for origin #{origin}"
|
|
76
78
|
}
|
|
77
79
|
end
|
|
78
80
|
|
|
79
|
-
desc "group unmap [group_name] [external_group]", "Unmaps an external group from a uaa group" do |group_name, external_group|
|
|
81
|
+
desc "group unmap [group_name] [external_group]", "Unmaps an external group from a uaa group", :origin do |group_name, external_group|
|
|
80
82
|
return gripe "Please provide a group name and external group" unless group_name && external_group
|
|
81
83
|
|
|
82
|
-
|
|
84
|
+
origin = opts[:origin] ? opts[:origin] : 'ldap'
|
|
85
|
+
|
|
83
86
|
response = Cli.run("group get #{group_name}")
|
|
84
87
|
if response
|
|
85
88
|
group_id = response['id']
|
|
@@ -87,9 +90,10 @@ class GroupCli < CommonCli
|
|
|
87
90
|
return gripe "Group #{group_name} not found"
|
|
88
91
|
end
|
|
89
92
|
|
|
93
|
+
|
|
90
94
|
pp scim_request { |ua|
|
|
91
|
-
ua.unmap_group(group_id, external_group)
|
|
92
|
-
"Successfully unmapped #{external_group} from #{group_name}"
|
|
95
|
+
ua.unmap_group(group_id, external_group, origin)
|
|
96
|
+
"Successfully unmapped #{external_group} from #{group_name} for origin #{origin}"
|
|
93
97
|
}
|
|
94
98
|
end
|
|
95
99
|
|
data/lib/cli/token.rb
CHANGED
|
@@ -137,6 +137,15 @@ class TokenCli < CommonCli
|
|
|
137
137
|
say_success "owner password" if set_context(reply)
|
|
138
138
|
end
|
|
139
139
|
|
|
140
|
+
define_option :passcode, "--passcode <passcode>"
|
|
141
|
+
desc "token sso get [client]", "Gets a token based on a one time passcode after successful SSO via browser",
|
|
142
|
+
:secret,:passcode,:scope do |client|
|
|
143
|
+
reply = issuer_request(clientid(client), clientsecret) { |ti|
|
|
144
|
+
ti.passcode_grant(passcode, opts[:scope]).info
|
|
145
|
+
}
|
|
146
|
+
say_success "owner passcode" if set_context(reply)
|
|
147
|
+
end
|
|
148
|
+
|
|
140
149
|
desc "token refresh [refreshtoken]", "Gets a new access token from a refresh token", :client, :secret, :scope do |rtok|
|
|
141
150
|
rtok ||= Config.value(:refresh_token)
|
|
142
151
|
reply = issuer_request(clientid, clientsecret) { |ti| ti.refresh_token_grant(rtok, opts[:scope]).info }
|
data/lib/cli/version.rb
CHANGED
data/lib/stub/scim.rb
CHANGED
|
@@ -284,25 +284,26 @@ class StubScim
|
|
|
284
284
|
[objs, total]
|
|
285
285
|
end
|
|
286
286
|
|
|
287
|
-
def add_group_mapping(external_group, group_id, group_name)
|
|
287
|
+
def add_group_mapping(external_group, group_id, group_name, origin)
|
|
288
288
|
group = group_id ? ref_by_id(group_id, :group) : ref_by_name(group_name, :group)
|
|
289
289
|
return unless group
|
|
290
|
-
(group[:external_groups] ||=
|
|
290
|
+
(group[:external_groups] ||= Hash.new)
|
|
291
|
+
group[:external_groups][external_group] = 'ldap'
|
|
291
292
|
group
|
|
292
293
|
end
|
|
293
294
|
|
|
294
|
-
def delete_group_mapping(group_id, external_group)
|
|
295
|
+
def delete_group_mapping(group_id, external_group, origin)
|
|
295
296
|
raise NotFound unless group = ref_by_id(group_id, :group)
|
|
296
297
|
raise NotFound unless group[:external_groups] && group[:external_groups].include?(external_group)
|
|
297
|
-
group[:external_groups].delete(
|
|
298
|
+
group[:external_groups][external_group].delete(origin)
|
|
298
299
|
end
|
|
299
300
|
|
|
300
301
|
def get_group_mappings
|
|
301
302
|
group_mappings = []
|
|
302
303
|
@things_by_id.each do |id, thing|
|
|
303
304
|
if thing[:rtype] == :group
|
|
304
|
-
thing[:external_groups].each do |
|
|
305
|
-
group_mappings << { groupid: thing[:id], displayname: thing[:displayname], externalgroup:
|
|
305
|
+
thing[:external_groups].each do |key, value|
|
|
306
|
+
group_mappings << { groupid: thing[:id], displayname: thing[:displayname], externalgroup: key }
|
|
306
307
|
end if thing[:external_groups]
|
|
307
308
|
end
|
|
308
309
|
end unless @things_by_id.empty?
|
data/lib/stub/uaa.rb
CHANGED
|
@@ -305,12 +305,21 @@ class StubUAAConn < Stub::Base
|
|
|
305
305
|
user = server.scim.get(user, :user, :id, :emails, :username)
|
|
306
306
|
reply.json(token_reply_info(client, scope, user, nil, true))
|
|
307
307
|
when "password"
|
|
308
|
-
|
|
309
|
-
|
|
308
|
+
notPassword = bad_params?(params, ['username', 'password'], ['scope'])
|
|
309
|
+
notPasscode = bad_params?(params, ['passcode'], ['scope'])
|
|
310
|
+
return if notPasscode && notPassword
|
|
311
|
+
unless notPassword
|
|
312
|
+
username = params['username']
|
|
313
|
+
password = params['password']
|
|
314
|
+
end
|
|
315
|
+
unless notPasscode
|
|
316
|
+
username, password = Base64::urlsafe_decode64(params['passcode']).split
|
|
317
|
+
end
|
|
318
|
+
user = find_user(username, password)
|
|
310
319
|
return reply.json(400, error: "invalid_grant") unless user
|
|
311
320
|
scope = calc_scope(client, user, params['scope'])
|
|
312
321
|
return reply.json(400, error: "invalid_scope") unless scope
|
|
313
|
-
reply.json(token_reply_info(client, scope, user))
|
|
322
|
+
reply.json(200, token_reply_info(client, scope, user))
|
|
314
323
|
when "client_credentials"
|
|
315
324
|
return if bad_params?(params, [], ['scope'])
|
|
316
325
|
scope = calc_scope(client, nil, params['scope'])
|
|
@@ -434,8 +443,9 @@ class StubUAAConn < Stub::Base
|
|
|
434
443
|
external_group = json["externalgroup"]
|
|
435
444
|
group_name = json["displayname"]
|
|
436
445
|
group_id = json["groupid"]
|
|
437
|
-
|
|
438
|
-
|
|
446
|
+
origin = json["origin"]
|
|
447
|
+
group = server.scim.add_group_mapping(external_group, group_id, group_name, origin)
|
|
448
|
+
reply_in_kind(displayName: group[:displayname], externalGroup: external_group, groupId: group[:id], origin: origin)
|
|
439
449
|
end
|
|
440
450
|
|
|
441
451
|
route :get, %r{^/Groups/External/list(\?|$)(.*)} do
|
|
@@ -455,13 +465,14 @@ class StubUAAConn < Stub::Base
|
|
|
455
465
|
reply_in_kind(resources: paginated_group_mappings, itemsPerPage: count, startIndex: start_index, totalResults: group_mappings.length)
|
|
456
466
|
end
|
|
457
467
|
|
|
458
|
-
route :delete, %r{^/Groups/External/
|
|
468
|
+
route :delete, %r{^/Groups/External/groupId/([^/]+)/externalGroup/([^/]+)/origin/([^/]+)$} do
|
|
459
469
|
return unless valid_token("scim.write")
|
|
460
470
|
|
|
461
471
|
group_id = match[1]
|
|
462
472
|
external_group = match[2]
|
|
473
|
+
origin = match[3]
|
|
463
474
|
begin
|
|
464
|
-
server.scim.delete_group_mapping(group_id, external_group)
|
|
475
|
+
server.scim.delete_group_mapping(group_id, external_group, origin)
|
|
465
476
|
rescue NotFound
|
|
466
477
|
not_found("Mapping for group ID #{match[1]} and external group #{match[2]}")
|
|
467
478
|
end
|
data/spec/group_spec.rb
CHANGED
|
@@ -230,7 +230,10 @@ describe GroupCli do
|
|
|
230
230
|
Cli.output.string.should include "Please provide an external group"
|
|
231
231
|
|
|
232
232
|
Cli.run "group map ldap-id --name #{@test_group}"
|
|
233
|
-
Cli.output.string.should include "Successfully mapped #{@test_group} to ldap-id"
|
|
233
|
+
Cli.output.string.should include "Successfully mapped #{@test_group} to ldap-id for origin ldap"
|
|
234
|
+
|
|
235
|
+
Cli.run "group map ldap-id --name #{@test_group} --origin ldap2"
|
|
236
|
+
Cli.output.string.should include "Successfully mapped #{@test_group} to ldap-id for origin ldap2"
|
|
234
237
|
|
|
235
238
|
Cli.run("group get #{@test_group}")
|
|
236
239
|
test_group_id = Cli.output.string.match(/id: ([\S]+)/)[1]
|
|
@@ -242,7 +245,10 @@ describe GroupCli do
|
|
|
242
245
|
Cli.run "context #{@test_client}"
|
|
243
246
|
|
|
244
247
|
Cli.run "group map ldap-id --name #{@test_group}"
|
|
245
|
-
Cli.output.string.should include "Successfully mapped #{@test_group} to ldap-id"
|
|
248
|
+
Cli.output.string.should include "Successfully mapped #{@test_group} to ldap-id for origin ldap"
|
|
249
|
+
|
|
250
|
+
Cli.run "group map ldap-id --name #{@test_group} --origin ldap2"
|
|
251
|
+
Cli.output.string.should include "Successfully mapped #{@test_group} to ldap-id for origin ldap2"
|
|
246
252
|
|
|
247
253
|
Cli.run("group get #{@test_group}")
|
|
248
254
|
|
|
@@ -253,11 +259,14 @@ describe GroupCli do
|
|
|
253
259
|
Cli.output.string.should include "Please provide a group name and external group"
|
|
254
260
|
|
|
255
261
|
Cli.run "group unmap #{@test_group} ldap-id"
|
|
256
|
-
Cli.output.string.should include "Successfully unmapped ldap-id from #{@test_group}"
|
|
262
|
+
Cli.output.string.should include "Successfully unmapped ldap-id from #{@test_group} for origin ldap"
|
|
257
263
|
|
|
258
264
|
Cli.run "group unmap nonexistent_group unmapped_ldap-id"
|
|
259
265
|
Cli.output.string.should include "Group nonexistent_group not found"
|
|
260
266
|
|
|
267
|
+
Cli.run "group unmap #{@test_group} ldap-id --origin ldap2"
|
|
268
|
+
Cli.output.string.should include "Successfully unmapped ldap-id from #{@test_group} for origin ldap2"
|
|
269
|
+
|
|
261
270
|
Cli.run "group unmap #{@test_group} unmapped_ldap-id"
|
|
262
271
|
Cli.output.string.should include "NotFound"
|
|
263
272
|
end
|
data/spec/token_spec.rb
CHANGED
|
@@ -26,7 +26,8 @@ describe TokenCli do
|
|
|
26
26
|
setup_target(authorities: "clients.read,scim.read,scim.write,uaa.resource")
|
|
27
27
|
Cli.run("token client get #{@test_client} -s #{@test_secret}").should be
|
|
28
28
|
Config.yaml.should include("access_token")
|
|
29
|
-
@
|
|
29
|
+
@test_pwd_unescaped = "@~`!$@%#%^$^&*)(|}{[]\":';?><,./"
|
|
30
|
+
@test_pwd = Shellwords.escape(@test_pwd_unescaped)
|
|
30
31
|
@test_user = "test_user_#{Time.now.to_i}"
|
|
31
32
|
Cli.run("user add #{@test_user} -p #{@test_pwd} " +
|
|
32
33
|
"--emails sam@example.com,joNES@sample.com --given_name SamueL " +
|
|
@@ -107,6 +108,13 @@ describe TokenCli do
|
|
|
107
108
|
Cli.output.string.should include "Successfully fetched token"
|
|
108
109
|
end
|
|
109
110
|
|
|
111
|
+
it "logs in with sso passcode grant" do
|
|
112
|
+
fakePasscode = Base64::urlsafe_encode64("#{@test_user} #{@test_pwd_unescaped}")
|
|
113
|
+
cli_run = Cli.run("token sso get #{@test_client} -s #{@test_secret} --passcode #{fakePasscode}")
|
|
114
|
+
cli_run.should be
|
|
115
|
+
Cli.output.string.should include "Successfully fetched token"
|
|
116
|
+
end
|
|
117
|
+
|
|
110
118
|
it "decodes the owner token" do
|
|
111
119
|
Cli.run("token decode").should be
|
|
112
120
|
["user_name", "exp", "aud", "scope", "client_id", "email", "user_id", "openid", "password.write"].each do |a|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cf-uaac
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dave Syer
|
|
@@ -12,7 +12,7 @@ authors:
|
|
|
12
12
|
autorequire:
|
|
13
13
|
bindir: bin
|
|
14
14
|
cert_chain: []
|
|
15
|
-
date: 2016-
|
|
15
|
+
date: 2016-03-31 00:00:00.000000000 Z
|
|
16
16
|
dependencies:
|
|
17
17
|
- !ruby/object:Gem::Dependency
|
|
18
18
|
name: bundler
|
|
@@ -104,14 +104,14 @@ dependencies:
|
|
|
104
104
|
requirements:
|
|
105
105
|
- - "~>"
|
|
106
106
|
- !ruby/object:Gem::Version
|
|
107
|
-
version: 3.
|
|
107
|
+
version: 3.4.0
|
|
108
108
|
type: :runtime
|
|
109
109
|
prerelease: false
|
|
110
110
|
version_requirements: !ruby/object:Gem::Requirement
|
|
111
111
|
requirements:
|
|
112
112
|
- - "~>"
|
|
113
113
|
- !ruby/object:Gem::Version
|
|
114
|
-
version: 3.
|
|
114
|
+
version: 3.4.0
|
|
115
115
|
- !ruby/object:Gem::Dependency
|
|
116
116
|
name: highline
|
|
117
117
|
requirement: !ruby/object:Gem::Requirement
|