opennebula 7.0.0 → 7.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 235d927119b2e53f0e2968d09b2020f3bed88c988537d80483d36099f69713b2
-  data.tar.gz: 830c3859007c69370867b2770f4f6df6e683a585f6edae3e445698ea59364a83
+  metadata.gz: 1edcccf0b9e0d503d1c4d28cd64205a58eb85d0f0ab6d62d2f7d6c229b27d841
+  data.tar.gz: 47ee96dcfcb9d7b92243ea88eb6f9630866537539ef7bfc1cd7ea7fc698c28b3
 SHA512:
-  metadata.gz: 35a2957b7e63e3f8c4ac747f5aab913c4c439f1f14554ed064571a7b585de62db436a0f41a7ca484b3ba9c8e33299bc0cf42f1958107ec24677f061664324d83
-  data.tar.gz: b2c227239cdbbd486e9101cea6c671338cc52bc58e73695d39e91511b2b3d616e4d0ad3f6281d173b42c05ac4de8215d6563e1ea1994c79be3f79380d8809262
+  metadata.gz: 3f94e3f828c2e31c71e8bdf12c5dfc6a4d4a72c92c4333f5a71c85fb7a35e8bdb108fd9b5834e8849d79431888c4402cb047ce688371db6c1feeb29368600c6c
+  data.tar.gz: 1c1969f628aea70d2fc5702fc8103ffd9e9a4fb22a01f46003c32994829acc3e049be89a85a93c635dcc911cdbaf6f10d1ed45743a25e122bf7e8dacbdb88f02

data/lib/cloud/CloudClient.rb

@@ -51,7 +51,7 @@ end
 module CloudClient
 
     # OpenNebula version
-    VERSION = '7.0.0'
+    VERSION = '7.0.1'
 
     # #########################################################################
     # Default location for the authentication file

data/lib/opennebula/flow/validator.rb

@@ -42,9 +42,10 @@ class Hash
 
             target[key] =
                 if value.is_a?(Hash) && current.is_a?(Hash)
-                    current.deep_merge(value)
-                elsif (value.is_a?(Array) && current.is_a?(Array)) && merge_array
-                    current + value
+                    current.deep_merge(value, merge_array)
+                elsif value.is_a?(Array) && current.is_a?(Array) && merge_array
+                    merged = current + value
+                    merged.all? {|el| el.is_a?(Hash) } ? merged.uniq : merged
                 else
                     value
                 end

data/lib/opennebula/group.rb

@@ -42,6 +42,7 @@ module OpenNebula
         # The default view for group and group admins, must be defined in
         # sunstone_views.yaml
         GROUP_ADMIN_SUNSTONE_VIEWS = "groupadmin"
+        GROUP_SUNSTONE_VIEWS       = "cloud"
 
         # Creates a Group description with just its identifier
         # this method should be used to create plain Group objects.
@@ -144,10 +145,14 @@ module OpenNebula
             # Add Sunstone views for the group
             if group_hash[:views]
                 sunstone_attrs << "VIEWS=\"#{group_hash[:views].join(",")}\""
+            else
+                sunstone_attrs << "VIEWS=\"#{GROUP_SUNSTONE_VIEWS}\""
             end
 
             if group_hash[:default_view]
                 sunstone_attrs << "DEFAULT_VIEW=\"#{group_hash[:default_view]}\""
+            else
+                sunstone_attrs << "DEFAULT_VIEW=\"#{GROUP_SUNSTONE_VIEWS}\""
             end
 
             # And the admin views
@@ -168,7 +173,7 @@ module OpenNebula
             if sunstone_attrs.length > 0
                 do_update = true
 
-                update_str = "SUNSTONE=[#{sunstone_attrs.join(",\n")}]\n"
+                update_str = "FIREEDGE=[#{sunstone_attrs.join(",\n")}]\n"
             end
 
             opennebula_attrs = []

data/lib/opennebula/saml_auth.rb

@@ -0,0 +1,254 @@
+# ---------------------------------------------------------------------------- #
+# Copyright 2002-2024, OpenNebula Project, OpenNebula Systems                  #
+#                                                                              #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may      #
+# not use this file except in compliance with the License. You may obtain      #
+# a copy of the License at                                                     #
+#                                                                              #
+# http://www.apache.org/licenses/LICENSE-2.0                                   #
+#                                                                              #
+# Unless required by applicable law or agreed to in writing, software          #
+# distributed under the License is distributed on an "AS IS" BASIS,            #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.     #
+# See the License for the specific language governing permissions and          #
+# limitations under the License.                                               #
+# ---------------------------------------------------------------------------- #
+
+require 'rubygems'
+require 'opennebula/xml_utils'
+require 'opennebula/client'
+require 'opennebula/group_pool'
+require 'yaml'
+require 'onelogin/ruby-saml'
+
+if !defined?(ONE_LOCATION)
+    ONE_LOCATION=ENV['ONE_LOCATION']
+end
+
+if !ONE_LOCATION
+    VAR_LOCATION='/var/lib/one/'
+else
+    VAR_LOCATION=ONE_LOCATION+'/var/'
+end
+
+# A top-level module for OpenNebula related classes.
+module OpenNebula
+
+    # This class handles SAML authentication responses and group mapping for OpenNebula.
+    class SamlAuth
+
+        def initialize(provider, config)
+            @options={
+                :issuer             => nil,
+                :idp_cert           => nil,
+                :user_field         => 'NameID',
+                :group_field        => 'memberOf',
+                :group_required     => nil,
+                :mapping_generate   => true,
+                :mapping_key        => 'SAML_GROUP',
+                :mapping_mode       => 'strict',
+                :mapping_timeout    => 300,
+                :mapping_filename   => 'saml_groups_1.yaml',
+                :mapping_default    => 1,
+                :group_admin_name   => 'cloud-admins'
+            }.merge(provider)
+
+            @options[:mapping_file_path] = VAR_LOCATION + @options[:mapping_filename]
+
+            @options[:sp_entity_id] = config[:sp_entity_id]
+            @options[:acs_url]      = config[:acs_url]
+
+            if !options_ok?
+                raise StandardError,
+                      'Identity Provider configured options are not correct.' \
+                      ' Please, configure a valid Identity Provider certificate.'
+            end
+
+            generate_mapping if @options[:mapping_generate]
+
+            load_mapping
+        end
+
+        def options_ok?
+            required_keys = [:issuer, :idp_cert, :sp_entity_id, :group_field]
+            return false unless required_keys.all? {|key| @options.key?(key) }
+
+            # Avoid XPath injection towards the assertion
+            !@options[:group_field].include?("'")
+        end
+
+        # Validates SAML assertion using the ruby-saml library.
+        # Returns true if the assertion is valid.
+        # If not valid, returns an array of errors with the failed validations.
+        #
+        # The following validations are performed:
+        #  validations = [
+        #    :validate_version,                  # SAML 2.0 is used
+        #    :validate_id,                       # assertion contains an ID
+        #    :validate_success_status,           # status of the assertion
+        #    :validate_num_assertion,            # only a single assertion is contained
+        #    :validate_signed_elements,          # only valid elements are signed
+        #    :validate_structure,                # assertion against a specific schema
+        #    :validate_no_duplicated_attributes, # duplicated attributes
+        #    :validate_in_response_to,       # provided request_id == inResponseTo
+        #    :validate_one_conditions,       # saml:Conditions exist
+        #    :validate_conditions,           # assertion is not expired
+        #    :validate_one_authnstatement,   # saml:AuthnStatement exists
+        #    :validate_audience,             # Audience == sp_entity_id
+        #    :validate_destination,          # destination == acs_url
+        #    :validate_issuer,               # assertion issuer matches the configured one
+        #    :validate_session_expiration,   # expiration (SessionNotOnOrAfter)
+        #    :validate_subject_confirmation, # subject confirmation is correct
+        #    :validate_name_id,              # NameID element is present
+        #    :validate_signature             # assertion signature
+        #  ]
+
+        # Source: https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/response.rb#L399
+
+        def validate_assertion(assertion_text)
+            saml_settings = OneLogin::RubySaml::Settings.new
+
+            saml_settings.idp_cert = @options[:idp_cert]
+            saml_settings.issuer   = @options[:issuer]
+
+            saml_settings.sp_entity_id                   = @options[:sp_entity_id]
+            saml_settings.assertion_consumer_service_url = @options[:acs_url]
+
+            assertion = OneLogin::RubySaml::Response.new(assertion_text, :settings => saml_settings)
+
+            return if assertion.is_valid?
+
+            assertion.errors
+        end
+
+        def generate_mapping
+            file = @options[:mapping_file_path]
+
+            File.open(file, File::RDWR | File::CREAT) do |f|
+                # Shared lock for reading the file
+                f.flock(File::LOCK_SH)
+
+                stat = f.stat
+                age  = Time.now.to_i - stat.mtime.to_i
+
+                break if age <= @options[:mapping_timeout]
+
+                # Switch to exclusive lock for writing
+                f.flock(File::LOCK_UN)
+                f.flock(File::LOCK_EX)
+
+                # Check stat again, it might have changed while we were waiting for the lock
+                stat = f.stat
+                age  = Time.now.to_i - stat.mtime.to_i
+
+                break if age <= @options[:mapping_timeout]
+
+                client     = OpenNebula::Client.new
+                group_pool = OpenNebula::GroupPool.new(client)
+
+                rc = group_pool.info
+
+                raise StandardError, rc.message if OpenNebula.is_error?(rc)
+
+                groups = [group_pool.get_hash['GROUP_POOL']['GROUP']].flatten
+                yaml   = {}
+
+                groups.each do |group|
+                    if group['TEMPLATE'] && group['TEMPLATE'][@options[:mapping_key]]
+                        yaml[group['TEMPLATE'][@options[:mapping_key]]] = group['ID']
+                    end
+                end
+
+                f.truncate(0)
+                f.rewind
+                f.write(yaml.to_yaml)
+            ensure
+                f.flock(File::LOCK_UN)
+            end
+        end
+
+        def load_mapping
+            file=@options[:mapping_file_path]
+
+            @mapping = {}
+
+            if File.exist?(file)
+                @mapping = YAML.safe_load(File.read(file))
+            end
+
+            @mapping = {} unless @mapping.class == Hash
+        end
+
+        def validate_required_group(idp_groups)
+            required = @options[:group_required]
+            return if required.nil?
+
+            return if idp_groups.include?(required) || idp_groups.include?("/#{required}")
+
+            raise StandardError,
+                  'The user does not belong to the required group.' \
+                  " Groups reported by the IdP: #{idp_groups}" \
+                  " Configured required group: #{required} ( /#{required} if using Keycloak )"
+        end
+
+        def get_groups(idp_groups)
+            is_admin = false
+            case @options[:mapping_mode]
+            # Direct mapping of SAML group names to ONE group IDs
+            when 'strict'
+                valid_mappings = idp_groups.map {|group| @mapping[group] }.compact
+
+                g_admin  = @options[:group_admin_name]
+                is_admin = g_admin && idp_groups.include?(g_admin)
+            # Keycloak-specific group syntax and group nesting support (e.g. /group1/subgroup1)
+            when 'keycloak'
+                valid_mappings = []
+
+                idp_groups.each do |idp_group|
+                    group_parts = idp_group.split('/')
+                    group_parts.reject!(&:empty?)
+
+                    # Build all possible parent group paths
+                    (1..group_parts.length).each do |i|
+                        # Create group path with leading slash (Keycloak format)
+                        group_path = '/' + group_parts[0...i].join('/')
+
+                        is_admin = true if group_path == @options[:group_admin_name]
+
+                        # Check direct mapping first
+                        if @mapping[group_path]
+                            valid_mappings << @mapping[group_path]
+                        elsif i == 1
+                            # Try without the leading slash for single group parts
+                            # E.g. in the mapping file "/group1" should be the same as "group1"
+                            group_path_no_slash = group_parts[0]
+
+                            is_admin = true if group_path_no_slash == @options[:group_admin_name]
+
+                            if @mapping[group_path_no_slash]
+                                valid_mappings << @mapping[group_path_no_slash]
+                            end
+                        end
+                    end
+                end
+
+                valid_mappings.compact!
+                valid_mappings.uniq!
+            else
+                raise StandardError,
+                      "Unsupported group mapping mode: #{@options[:mapping_mode]}." \
+                      " Supported modes are 'strict' and 'keycloak'."
+            end
+
+            # Return the default group if no mapping is found
+            valid_mappings = [@options[:mapping_default].to_s] if valid_mappings.empty?
+
+            # Handle group admin case. Group admin can NOT be a nested group
+            valid_mappings = valid_mappings.map {|id| "*#{id}" } if is_admin
+
+            return valid_mappings.join(' ')
+        end
+
+    end
+
+end

data/lib/opennebula.rb

@@ -79,5 +79,5 @@ require 'opennebula/backupjob_pool'
 module OpenNebula
 
     # OpenNebula version
-    VERSION = '7.0.0'
+    VERSION = '7.0.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: opennebula
 version: !ruby/object:Gem::Version
-  version: 7.0.0
+  version: 7.0.1
 platform: ruby
 authors:
 - OpenNebula
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2025-07-02 00:00:00.000000000 Z
+date: 2025-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -150,6 +150,7 @@ files:
 - lib/opennebula/oneflow_client.rb
 - lib/opennebula/pool.rb
 - lib/opennebula/pool_element.rb
+- lib/opennebula/saml_auth.rb
 - lib/opennebula/security_group.rb
 - lib/opennebula/security_group_pool.rb
 - lib/opennebula/server_cipher_auth.rb