RubyGems - opennebula - Versions diffs - 6.99.90.pre → 7.0.1 - Mend

opennebula 6.99.90.pre → 7.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/cloud/CloudClient.rb +1 -1
data/lib/opennebula/flow/validator.rb +4 -3
data/lib/opennebula/group.rb +6 -1
data/lib/opennebula/saml_auth.rb +254 -0
data/lib/opennebula.rb +1 -1
metadata +5 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e47d3e1236aa4bb0b49af0e3da7823975ec6828947e6dba82b06c170d99373bc
-  data.tar.gz: 21017176d00e3e469273fb514862049b787147e757362ad4b87c710d6a59d863
+  metadata.gz: 1edcccf0b9e0d503d1c4d28cd64205a58eb85d0f0ab6d62d2f7d6c229b27d841
+  data.tar.gz: 47ee96dcfcb9d7b92243ea88eb6f9630866537539ef7bfc1cd7ea7fc698c28b3
 SHA512:
-  metadata.gz: d3a6a8f6c54070c5187455e34cf9723b35d8f88d6741cfd2df34def1d5913d5b5804699bc48b302c674fb10ea617e74075f6a6bb6529d27492899ea09fcf691f
-  data.tar.gz: fce438b38a0f8ef809a20e603f0f5ef1027a4724eb63828ffe54cfe487148743dc2cee923fad335e14891ede522ea0bc4e8d10e8c34ef1b5afd7fedefef94da6
+  metadata.gz: 3f94e3f828c2e31c71e8bdf12c5dfc6a4d4a72c92c4333f5a71c85fb7a35e8bdb108fd9b5834e8849d79431888c4402cb047ce688371db6c1feeb29368600c6c
+  data.tar.gz: 1c1969f628aea70d2fc5702fc8103ffd9e9a4fb22a01f46003c32994829acc3e049be89a85a93c635dcc911cdbaf6f10d1ed45743a25e122bf7e8dacbdb88f02

data/lib/cloud/CloudClient.rb CHANGED Viewed

@@ -51,7 +51,7 @@ end
 module CloudClient
     # OpenNebula version
-    VERSION = '6.99.90'
+    VERSION = '7.0.1'
     # #########################################################################
     # Default location for the authentication file

data/lib/opennebula/flow/validator.rb CHANGED Viewed

@@ -42,9 +42,10 @@ class Hash
             target[key] =
                 if value.is_a?(Hash) && current.is_a?(Hash)
-                    current.deep_merge(value)
-                elsif (value.is_a?(Array) && current.is_a?(Array)) && merge_array
-                    current + value
+                    current.deep_merge(value, merge_array)
+                elsif value.is_a?(Array) && current.is_a?(Array) && merge_array
+                    merged = current + value
+                    merged.all? {|el| el.is_a?(Hash) } ? merged.uniq : merged
                 else
                     value
                 end

data/lib/opennebula/group.rb CHANGED Viewed

@@ -42,6 +42,7 @@ module OpenNebula
         # The default view for group and group admins, must be defined in
         # sunstone_views.yaml
         GROUP_ADMIN_SUNSTONE_VIEWS = "groupadmin"
+        GROUP_SUNSTONE_VIEWS       = "cloud"
         # Creates a Group description with just its identifier
         # this method should be used to create plain Group objects.
@@ -144,10 +145,14 @@ module OpenNebula
             # Add Sunstone views for the group
             if group_hash[:views]
                 sunstone_attrs << "VIEWS=\"#{group_hash[:views].join(",")}\""
+            else
+                sunstone_attrs << "VIEWS=\"#{GROUP_SUNSTONE_VIEWS}\""
             end
             if group_hash[:default_view]
                 sunstone_attrs << "DEFAULT_VIEW=\"#{group_hash[:default_view]}\""
+            else
+                sunstone_attrs << "DEFAULT_VIEW=\"#{GROUP_SUNSTONE_VIEWS}\""
             end
             # And the admin views
@@ -168,7 +173,7 @@ module OpenNebula
             if sunstone_attrs.length > 0
                 do_update = true
-                update_str = "SUNSTONE=[#{sunstone_attrs.join(",\n")}]\n"
+                update_str = "FIREEDGE=[#{sunstone_attrs.join(",\n")}]\n"
             end
             opennebula_attrs = []

data/lib/opennebula/saml_auth.rb ADDED Viewed

@@ -0,0 +1,254 @@
+# ---------------------------------------------------------------------------- #
+# Copyright 2002-2024, OpenNebula Project, OpenNebula Systems                  #
+#                                                                              #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may      #
+# not use this file except in compliance with the License. You may obtain      #
+# a copy of the License at                                                     #
+#                                                                              #
+# http://www.apache.org/licenses/LICENSE-2.0                                   #
+#                                                                              #
+# Unless required by applicable law or agreed to in writing, software          #
+# distributed under the License is distributed on an "AS IS" BASIS,            #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.     #
+# See the License for the specific language governing permissions and          #
+# limitations under the License.                                               #
+# ---------------------------------------------------------------------------- #
+require 'rubygems'
+require 'opennebula/xml_utils'
+require 'opennebula/client'
+require 'opennebula/group_pool'
+require 'yaml'
+require 'onelogin/ruby-saml'
+if !defined?(ONE_LOCATION)
+    ONE_LOCATION=ENV['ONE_LOCATION']
+end
+if !ONE_LOCATION
+    VAR_LOCATION='/var/lib/one/'
+else
+    VAR_LOCATION=ONE_LOCATION+'/var/'
+end
+# A top-level module for OpenNebula related classes.
+module OpenNebula
+    # This class handles SAML authentication responses and group mapping for OpenNebula.
+    class SamlAuth
+        def initialize(provider, config)
+            @options={
+                :issuer             => nil,
+                :idp_cert           => nil,
+                :user_field         => 'NameID',
+                :group_field        => 'memberOf',
+                :group_required     => nil,
+                :mapping_generate   => true,
+                :mapping_key        => 'SAML_GROUP',
+                :mapping_mode       => 'strict',
+                :mapping_timeout    => 300,
+                :mapping_filename   => 'saml_groups_1.yaml',
+                :mapping_default    => 1,
+                :group_admin_name   => 'cloud-admins'
+            }.merge(provider)
+            @options[:mapping_file_path] = VAR_LOCATION + @options[:mapping_filename]
+            @options[:sp_entity_id] = config[:sp_entity_id]
+            @options[:acs_url]      = config[:acs_url]
+            if !options_ok?
+                raise StandardError,
+                      'Identity Provider configured options are not correct.' \
+                      ' Please, configure a valid Identity Provider certificate.'
+            end
+            generate_mapping if @options[:mapping_generate]
+            load_mapping
+        end
+        def options_ok?
+            required_keys = [:issuer, :idp_cert, :sp_entity_id, :group_field]
+            return false unless required_keys.all? {|key| @options.key?(key) }
+            # Avoid XPath injection towards the assertion
+            !@options[:group_field].include?("'")
+        end
+        # Validates SAML assertion using the ruby-saml library.
+        # Returns true if the assertion is valid.
+        # If not valid, returns an array of errors with the failed validations.
+        #
+        # The following validations are performed:
+        #  validations = [
+        #    :validate_version,                  # SAML 2.0 is used
+        #    :validate_id,                       # assertion contains an ID
+        #    :validate_success_status,           # status of the assertion
+        #    :validate_num_assertion,            # only a single assertion is contained
+        #    :validate_signed_elements,          # only valid elements are signed
+        #    :validate_structure,                # assertion against a specific schema
+        #    :validate_no_duplicated_attributes, # duplicated attributes
+        #    :validate_in_response_to,       # provided request_id == inResponseTo
+        #    :validate_one_conditions,       # saml:Conditions exist
+        #    :validate_conditions,           # assertion is not expired
+        #    :validate_one_authnstatement,   # saml:AuthnStatement exists
+        #    :validate_audience,             # Audience == sp_entity_id
+        #    :validate_destination,          # destination == acs_url
+        #    :validate_issuer,               # assertion issuer matches the configured one
+        #    :validate_session_expiration,   # expiration (SessionNotOnOrAfter)
+        #    :validate_subject_confirmation, # subject confirmation is correct
+        #    :validate_name_id,              # NameID element is present
+        #    :validate_signature             # assertion signature
+        #  ]
+        # Source: https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/response.rb#L399
+        def validate_assertion(assertion_text)
+            saml_settings = OneLogin::RubySaml::Settings.new
+            saml_settings.idp_cert = @options[:idp_cert]
+            saml_settings.issuer   = @options[:issuer]
+            saml_settings.sp_entity_id                   = @options[:sp_entity_id]
+            saml_settings.assertion_consumer_service_url = @options[:acs_url]
+            assertion = OneLogin::RubySaml::Response.new(assertion_text, :settings => saml_settings)
+            return if assertion.is_valid?
+            assertion.errors
+        end
+        def generate_mapping
+            file = @options[:mapping_file_path]
+            File.open(file, File::RDWR | File::CREAT) do |f|
+                # Shared lock for reading the file
+                f.flock(File::LOCK_SH)
+                stat = f.stat
+                age  = Time.now.to_i - stat.mtime.to_i
+                break if age <= @options[:mapping_timeout]
+                # Switch to exclusive lock for writing
+                f.flock(File::LOCK_UN)
+                f.flock(File::LOCK_EX)
+                # Check stat again, it might have changed while we were waiting for the lock
+                stat = f.stat
+                age  = Time.now.to_i - stat.mtime.to_i
+                break if age <= @options[:mapping_timeout]
+                client     = OpenNebula::Client.new
+                group_pool = OpenNebula::GroupPool.new(client)
+                rc = group_pool.info
+                raise StandardError, rc.message if OpenNebula.is_error?(rc)
+                groups = [group_pool.get_hash['GROUP_POOL']['GROUP']].flatten
+                yaml   = {}
+                groups.each do |group|
+                    if group['TEMPLATE'] && group['TEMPLATE'][@options[:mapping_key]]
+                        yaml[group['TEMPLATE'][@options[:mapping_key]]] = group['ID']
+                    end
+                end
+                f.truncate(0)
+                f.rewind
+                f.write(yaml.to_yaml)
+            ensure
+                f.flock(File::LOCK_UN)
+            end
+        end
+        def load_mapping
+            file=@options[:mapping_file_path]
+            @mapping = {}
+            if File.exist?(file)
+                @mapping = YAML.safe_load(File.read(file))
+            end
+            @mapping = {} unless @mapping.class == Hash
+        end
+        def validate_required_group(idp_groups)
+            required = @options[:group_required]
+            return if required.nil?
+            return if idp_groups.include?(required) || idp_groups.include?("/#{required}")
+            raise StandardError,
+                  'The user does not belong to the required group.' \
+                  " Groups reported by the IdP: #{idp_groups}" \
+                  " Configured required group: #{required} ( /#{required} if using Keycloak )"
+        end
+        def get_groups(idp_groups)
+            is_admin = false
+            case @options[:mapping_mode]
+            # Direct mapping of SAML group names to ONE group IDs
+            when 'strict'
+                valid_mappings = idp_groups.map {|group| @mapping[group] }.compact
+                g_admin  = @options[:group_admin_name]
+                is_admin = g_admin && idp_groups.include?(g_admin)
+            # Keycloak-specific group syntax and group nesting support (e.g. /group1/subgroup1)
+            when 'keycloak'
+                valid_mappings = []
+                idp_groups.each do |idp_group|
+                    group_parts = idp_group.split('/')
+                    group_parts.reject!(&:empty?)
+                    # Build all possible parent group paths
+                    (1..group_parts.length).each do |i|
+                        # Create group path with leading slash (Keycloak format)
+                        group_path = '/' + group_parts[0...i].join('/')
+                        is_admin = true if group_path == @options[:group_admin_name]
+                        # Check direct mapping first
+                        if @mapping[group_path]
+                            valid_mappings << @mapping[group_path]
+                        elsif i == 1
+                            # Try without the leading slash for single group parts
+                            # E.g. in the mapping file "/group1" should be the same as "group1"
+                            group_path_no_slash = group_parts[0]
+                            is_admin = true if group_path_no_slash == @options[:group_admin_name]
+                            if @mapping[group_path_no_slash]
+                                valid_mappings << @mapping[group_path_no_slash]
+                            end
+                        end
+                    end
+                end
+                valid_mappings.compact!
+                valid_mappings.uniq!
+            else
+                raise StandardError,
+                      "Unsupported group mapping mode: #{@options[:mapping_mode]}." \
+                      " Supported modes are 'strict' and 'keycloak'."
+            end
+            # Return the default group if no mapping is found
+            valid_mappings = [@options[:mapping_default].to_s] if valid_mappings.empty?
+            # Handle group admin case. Group admin can NOT be a nested group
+            valid_mappings = valid_mappings.map {|id| "*#{id}" } if is_admin
+            return valid_mappings.join(' ')
+        end
+    end
+end

data/lib/opennebula.rb CHANGED Viewed

@@ -79,5 +79,5 @@ require 'opennebula/backupjob_pool'
 module OpenNebula
     # OpenNebula version
-    VERSION = '6.99.90'
+    VERSION = '7.0.1'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: opennebula
 version: !ruby/object:Gem::Version
-  version: 6.99.90.pre
+  version: 7.0.1
 platform: ruby
 authors:
 - OpenNebula
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-06-22 00:00:00.000000000 Z
+date: 2025-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -150,6 +150,7 @@ files:
 - lib/opennebula/oneflow_client.rb
 - lib/opennebula/pool.rb
 - lib/opennebula/pool_element.rb
+- lib/opennebula/saml_auth.rb
 - lib/opennebula/security_group.rb
 - lib/opennebula/security_group_pool.rb
 - lib/opennebula/server_cipher_auth.rb
@@ -197,9 +198,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.3.5
 signing_key: