@rockcarver/frodo-lib 0.11.0

package/src/ops/LogOps.js

@@ -0,0 +1,357 @@
+import { printMessage } from './utils/Console.js';
+import { getCurrentTimestamp } from './utils/ExportImportUtils.js';
+import {
+  createAPIKeyAndSecret,
+  getAPIKeys,
+  getSources,
+} from '../api/LogApi.js';
+
+import storage from '../storage/SessionStorage.js';
+
+import * as LogApi from '../api/LogApi.js';
+
+const unfilterableNoise = [
+  'text/plain'  // Unfortunately, it is impossible to filter out those without excluding IDM script logging as well
+]
+
+const miscNoise = [
+  'com.iplanet.dpro.session.operations.ServerSessionOperationStrategy',
+  'com.iplanet.dpro.session.SessionIDFactory',
+  'com.iplanet.dpro.session.share.SessionEncodeURL',
+  'com.iplanet.services.naming.WebtopNaming',
+  'com.iplanet.sso.providers.dpro.SSOProviderImpl',
+  'com.sun.identity.authentication.AuthContext',
+  'com.sun.identity.authentication.client.AuthClientUtils',
+  'com.sun.identity.authentication.config.AMAuthConfigType',
+  'com.sun.identity.authentication.config.AMAuthenticationManager',
+  'com.sun.identity.authentication.config.AMAuthLevelManager',
+  'com.sun.identity.authentication.config.AMConfiguration',
+  'com.sun.identity.authentication.jaas.LoginContext',
+  'com.sun.identity.authentication.modules.application.Application',
+  'com.sun.identity.authentication.server.AuthContextLocal',
+  'com.sun.identity.authentication.service.AMLoginContext',
+  'com.sun.identity.authentication.service.AuthContextLookup',
+  'com.sun.identity.authentication.service.AuthD',
+  'com.sun.identity.authentication.service.AuthUtils',
+  'com.sun.identity.authentication.service.DSAMECallbackHandler',
+  'com.sun.identity.authentication.service.LoginState',
+  'com.sun.identity.authentication.spi.AMLoginModule',
+  'com.sun.identity.delegation.DelegationEvaluatorImpl',
+  'com.sun.identity.idm.plugins.internal.AgentsRepo',
+  'com.sun.identity.idm.server.IdCachedServicesImpl',
+  'com.sun.identity.idm.server.IdRepoPluginsCache',
+  'com.sun.identity.idm.server.IdServicesImpl',
+  'com.sun.identity.log.spi.ISDebug',
+  'com.sun.identity.shared.encode.CookieUtils',
+  'com.sun.identity.sm.ldap.SMSLdapObject',
+  'com.sun.identity.sm.CachedSMSEntry',
+  'com.sun.identity.sm.CachedSubEntries',
+  'com.sun.identity.sm.DNMapper',
+  'com.sun.identity.sm.ServiceConfigImpl',
+  'com.sun.identity.sm.ServiceConfigManagerImpl',
+  'com.sun.identity.sm.SMSEntry',
+  'com.sun.identity.sm.SMSUtils',
+  'com.sun.identity.sm.SmsWrapperObject',
+  'oauth2',
+  'org.apache.http.client.protocol.RequestAuthCache',
+  'org.apache.http.impl.conn.PoolingHttpClientConnectionManager',
+  'org.apache.http.impl.nio.client.InternalHttpAsyncClient',
+  'org.apache.http.impl.nio.client.InternalIODispatch',
+  'org.apache.http.impl.nio.client.MainClientExec',
+  'org.apache.http.impl.nio.conn.ManagedNHttpClientConnectionImpl',
+  'org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager',
+  'org.forgerock.audit.AuditServiceImpl',
+  'org.forgerock.oauth2.core.RealmOAuth2ProviderSettings',
+  'org.forgerock.openam.authentication.service.JAASModuleDetector',
+  'org.forgerock.openam.authentication.service.LoginContextFactory',
+  'org.forgerock.openam.blacklist.BloomFilterBlacklist',
+  'org.forgerock.openam.blacklist.CTSBlacklist',
+  'org.forgerock.openam.core.realms.impl.CachingRealmLookup',
+  'org.forgerock.openam.core.rest.authn.RestAuthCallbackHandlerManager',
+  'org.forgerock.openam.core.rest.authn.trees.AuthTrees',
+  'org.forgerock.openam.cors.CorsFilter',
+  'org.forgerock.openam.cts.CTSPersistentStoreImpl',
+  'org.forgerock.openam.cts.impl.CoreTokenAdapter',
+  'org.forgerock.openam.cts.impl.queue.AsyncResultHandler',
+  'org.forgerock.openam.cts.reaper.ReaperDeleteOnQueryResultHandler',
+  'org.forgerock.openam.headers.DisableSameSiteCookiesFilter',
+  'org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo',
+  'org.forgerock.openam.rest.CsrfFilter',
+  'org.forgerock.openam.rest.restAuthenticationFilter',
+  'org.forgerock.openam.rest.fluent.CrestLoggingFilter',
+  'org.forgerock.openam.session.cts.CtsOperations',
+  'org.forgerock.openam.session.stateless.StatelessSessionManager',
+  'org.forgerock.openam.sm.datalayer.impl.ldap.ExternalLdapConfig',
+  'org.forgerock.openam.sm.datalayer.impl.ldap.LdapQueryBuilder',
+  'org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutor',
+  'org.forgerock.openam.sm.datalayer.impl.SeriesTaskExecutorThread',
+  'org.forgerock.openam.sm.datalayer.providers.LdapConnectionFactoryProvider',
+  'org.forgerock.openam.sm.file.ConfigFileSystemHandler',
+  'org.forgerock.openam.social.idp.SocialIdentityProviders',
+  'org.forgerock.openam.utils.ClientUtils',
+  'org.forgerock.opendj.ldap.CachedConnectionPool',
+  'org.forgerock.opendj.ldap.LoadBalancer',
+  'org.forgerock.secrets.keystore.KeyStoreSecretStore',
+  'org.forgerock.secrets.propertyresolver.PropertyResolverSecretStore',
+  'org.forgerock.secrets.SecretsProvider',
+];
+
+const journeysNoise = [
+  'org.forgerock.openam.auth.trees.engine.AuthTreeExecutor',
+];
+
+// eslint-disable-next-line no-unused-vars
+const journeys = [
+  'org.forgerock.openam.auth.nodes.SelectIdPNode',
+  'org.forgerock.openam.auth.nodes.ValidatedPasswordNode',
+  'org.forgerock.openam.auth.nodes.ValidatedUsernameNode',
+  'org.forgerock.openam.auth.trees.engine.AuthTreeExecutor',
+];
+
+const samlNoise = [
+  'com.sun.identity.cot.COTCache',
+  'com.sun.identity.plugin.configuration.impl.ConfigurationInstanceImpl',
+  'com.sun.identity.saml2.meta.SAML2MetaCache',
+  'com.sun.identity.saml2.profile.CacheCleanUpRunnable',
+  'org.apache.xml.security.keys.KeyInfo',
+  'org.apache.xml.security.signature.XMLSignature',
+  'org.apache.xml.security.utils.SignerOutputStream',
+  'org.apache.xml.security.utils.resolver.ResourceResolver',
+  'org.apache.xml.security.utils.resolver.implementations.ResolverFragment',
+  'org.apache.xml.security.algorithms.JCEMapper',
+  'org.apache.xml.security.algorithms.implementations.SignatureBaseRSA',
+  'org.apache.xml.security.algorithms.SignatureAlgorithm',
+  'org.apache.xml.security.utils.ElementProxy',
+  'org.apache.xml.security.transforms.Transforms',
+  'org.apache.xml.security.utils.DigesterOutputStream',
+  'org.apache.xml.security.signature.Reference',
+  'org.apache.xml.security.signature.Manifest',
+];
+
+// eslint-disable-next-line no-unused-vars
+const saml = [
+  'jsp.saml2.spAssertionConsumer',
+  'com.sun.identity.saml.common.SAMLUtils',
+  'com.sun.identity.saml2.common.SAML2Utils',
+  'com.sun.identity.saml2.meta.SAML2MetaManager',
+  'com.sun.identity.saml2.xmlsig.FMSigProvider',
+];
+
+const noise = miscNoise.concat(samlNoise).concat(journeysNoise);
+
+const numLogLevelMap = {
+  0: ['SEVERE', 'ERROR', 'FATAL'],
+  1: ['WARNING', 'WARN', 'CONFIG'],
+  2: ['INFO', 'INFORMATION'],
+  3: ['DEBUG', 'FINE', 'FINER', 'FINEST'],
+  4: ['ALL'],
+};
+
+const logLevelMap = {
+  SEVERE: ['SEVERE', 'ERROR', 'FATAL'],
+  ERROR: ['SEVERE', 'ERROR', 'FATAL'],
+  FATAL: ['SEVERE', 'ERROR', 'FATAL'],
+  WARN: ['SEVERE', 'ERROR', 'FATAL', 'WARNING', 'WARN', 'CONFIG'],
+  WARNING: ['SEVERE', 'ERROR', 'FATAL', 'WARNING', 'WARN', 'CONFIG'],
+  CONFIG: ['SEVERE', 'ERROR', 'FATAL', 'WARNING', 'WARN', 'CONFIG'],
+  INFO: [
+    'SEVERE',
+    'ERROR',
+    'FATAL',
+    'WARNING',
+    'WARN',
+    'CONFIG',
+    'INFO',
+    'INFORMATION',
+  ],
+  INFORMATION: [
+    'SEVERE',
+    'ERROR',
+    'FATAL',
+    'WARNING',
+    'WARN',
+    'CONFIG',
+    'INFO',
+    'INFORMATION',
+  ],
+  DEBUG: [
+    'SEVERE',
+    'ERROR',
+    'FATAL',
+    'WARNING',
+    'WARN',
+    'CONFIG',
+    'INFO',
+    'INFORMATION',
+    'DEBUG',
+    'FINE',
+    'FINER',
+    'FINEST',
+  ],
+  FINE: [
+    'SEVERE',
+    'ERROR',
+    'FATAL',
+    'WARNING',
+    'WARN',
+    'CONFIG',
+    'INFO',
+    'INFORMATION',
+    'DEBUG',
+    'FINE',
+    'FINER',
+    'FINEST',
+  ],
+  FINER: [
+    'SEVERE',
+    'ERROR',
+    'FATAL',
+    'WARNING',
+    'WARN',
+    'CONFIG',
+    'INFO',
+    'INFORMATION',
+    'DEBUG',
+    'FINE',
+    'FINER',
+    'FINEST',
+  ],
+  FINEST: [
+    'SEVERE',
+    'ERROR',
+    'FATAL',
+    'WARNING',
+    'WARN',
+    'CONFIG',
+    'INFO',
+    'INFORMATION',
+    'DEBUG',
+    'FINE',
+    'FINER',
+    'FINEST',
+  ],
+  ALL: ['ALL'],
+};
+
+export function resolveLevel(level) {
+  //   const levels = ['FATAL', 'ERROR', 'WARN', 'INFO', 'DEBUG', 'TRACE', 'ALL'];
+  //   levels.splice(levels.indexOf(levelName) + 1, levels.length);
+  if (Number.isNaN(parseInt(level, 10))) {
+    return logLevelMap[level];
+  }
+  return logLevelMap[numLogLevelMap[level][0]];
+}
+
+// It seems that the undesirable 'text/plain' logs start with a date, not a LEVEL 
+// Therefore, for those, this function returns null, and thus filters out the undesirable
+export function resolvePayloadLevel(log) {
+  try {
+    return log.type !== 'text/plain' ? log.payload.level : log.payload.match(/^([^:]*):/)[1];
+  } catch (e) { // Fail-safe for no group match
+    return null
+  }
+}
+
+export async function getLogSources() {
+  const sources = [];
+  await getSources()
+    .then((response) => {
+      response.data.result.forEach((item) => {
+        sources.push(item);
+      });
+    })
+    .catch((error) => {
+      printMessage(
+        `getSources ERROR: get log sources call returned ${error}}`,
+        'error'
+      );
+      return [];
+    });
+  return sources;
+}
+
+export async function tailLogs(source, levels, txid, cookie) {
+  try {
+    const response = await LogApi.tail(source, cookie);
+    if (response.status < 200 || response.status > 399) {
+      printMessage(
+        `tail ERROR: tail call returned ${response.status}`,
+        'error'
+      );
+      return null;
+    }
+    // if (!cookie) {
+    //   await saveConnection();
+    // }
+    const logsObject = response.data;
+    let filteredLogs = [];
+    if (Array.isArray(logsObject.result)) {
+      filteredLogs = logsObject.result.filter(
+        (el) =>
+          !noise.includes(el.payload.logger) &&
+          !noise.includes(el.type) &&
+          (levels[0] === 'ALL' || levels.includes(resolvePayloadLevel(el))) &&
+          (typeof txid === 'undefined' ||
+            txid === null ||
+            el.payload.transactionId.includes(txid))
+      );
+    }
+
+    filteredLogs.forEach((e) => {
+      printMessage(JSON.stringify(e.payload), 'data');
+    });
+
+    setTimeout(() => {
+      tailLogs(source, levels, txid, logsObject.result.pagedResultsCookie);
+    }, 5000);
+    return null;
+  } catch (e) {
+    printMessage(`tail ERROR: tail data error - ${e}`, 'error');
+    return `tail ERROR: tail data error - ${e}`;
+  }
+}
+
+export async function provisionCreds() {
+  try {
+    let keyName = `frodo-${storage.session.getUsername()}`;
+    return getAPIKeys()
+      .then((response) => {
+        response.data.result.forEach((k) => {
+          if (k.name === keyName) {
+            // append current timestamp to name if the named key already exists
+            keyName = `${keyName}-${getCurrentTimestamp()}`;
+          }
+        });
+        return createAPIKeyAndSecret(keyName)
+          .then((resp) => {
+            if (resp.data.name !== keyName) {
+              printMessage(
+                `create keys ERROR: could not create log API key ${keyName}`,
+                'error'
+              );
+              return null;
+            }
+            printMessage(
+              `Created a new log API key [${keyName}] in ${storage.session.getTenant()}`
+            );
+            return resp.data;
+          })
+          .catch((error) => {
+            printMessage(
+              `create keys ERROR: create keys call returned ${error}`,
+              'error'
+            );
+            return null;
+          });
+      })
+      .catch((error) => {
+        printMessage(
+          `get keys ERROR: get keys call returned ${error}`,
+          'error'
+        );
+      });
+  } catch (e) {
+    printMessage(`create keys ERROR: create keys data error - ${e}`, 'error');
+    return null;
+  }
+}

package/src/ops/ManagedObjectOps.js

@@ -0,0 +1,34 @@
+import { getManagedObject } from '../api/ManagedObjectApi.js';
+
+/**
+ * Resolve a managed object's uuid to a human readable username
+ * @param {String} type managed object type, e.g. teammember or alpha_user
+ * @param {String} id managed object _id
+ * @returns {String} resolved username or uuid if any error occurs during reslution
+ */
+export async function resolveUserName(type, id) {
+  try {
+    return (await getManagedObject(type, id, ['userName'])).data.userName;
+  } catch (error) {
+    // eslint-disable-next-line no-empty
+  }
+  return id;
+}
+
+/**
+ * Resolve a managed object's uuid to a human readable full name
+ * @param {String} type managed object type, e.g. teammember or alpha_user
+ * @param {String} id managed object _id
+ * @returns {String} resolved full name or uuid if any error occurs during reslution
+ */
+export async function resolveFullName(type, id) {
+  try {
+    const managedObject = (
+      await getManagedObject(type, id, ['givenName', 'sn'])
+    ).data;
+    return `${managedObject.givenName} ${managedObject.sn}`;
+  } catch (error) {
+    // eslint-disable-next-line no-empty
+  }
+  return id;
+}

package/src/ops/OAuth2ClientOps.js

@@ -0,0 +1,151 @@
+import fs from 'fs';
+import { createTable, printMessage } from './utils/Console.js';
+import {
+  getTypedFilename,
+  saveToFile,
+  titleCase,
+  validateImport,
+} from './utils/ExportImportUtils.js';
+import storage from '../storage/SessionStorage.js';
+import {
+  getOAuth2Client,
+  getOAuth2Clients,
+  putOAuth2Client,
+} from '../api/OAuth2ClientApi.js';
+import { getOAuth2Provider } from '../api/OAuth2ProviderApi.js';
+import { getRealmName } from '../api/utils/ApiUtils.js';
+
+/**
+ * List OAuth2 clients
+ */
+export async function listOAuth2Clients(long = false) {
+  try {
+    const clients = (await getOAuth2Clients()).data.result;
+    clients.sort((a, b) => a._id.localeCompare(b._id));
+    if (long) {
+      const table = createTable([
+        'Client Id',
+        'Status',
+        'Client Type',
+        'Grant Types',
+        'Scopes',
+        'Redirect URIs',
+        // 'Description',
+      ]);
+      const grantTypesMap = {
+        authorization_code: 'Authz Code',
+        client_credentials: 'Client Creds',
+        refresh_token: 'Refresh Token',
+        password: 'ROPC',
+        'urn:ietf:params:oauth:grant-type:uma-ticket': 'UMA',
+        implicit: 'Implicit',
+        'urn:ietf:params:oauth:grant-type:device_code': 'Device Code',
+        'urn:ietf:params:oauth:grant-type:saml2-bearer': 'SAML2 Bearer',
+        'urn:openid:params:grant-type:ciba': 'CIBA',
+        'urn:ietf:params:oauth:grant-type:token-exchange': 'Token Exchange',
+        'urn:ietf:params:oauth:grant-type:jwt-bearer': 'JWT Bearer',
+      };
+      clients.forEach((client) => {
+        table.push([
+          client._id,
+          client.coreOAuth2ClientConfig.status === 'Active'
+            ? 'Active'.brightGreen
+            : client.coreOAuth2ClientConfig.status.brightRed,
+          client.coreOAuth2ClientConfig.clientType,
+          client.advancedOAuth2ClientConfig.grantTypes
+            .map((type) => grantTypesMap[type])
+            .join('\n'),
+          client.coreOAuth2ClientConfig.scopes.join('\n'),
+          client.coreOAuth2ClientConfig.redirectionUris.join('\n'),
+          // wordwrap(client.description, 30),
+        ]);
+      });
+      printMessage(table.toString(), 'data');
+    } else {
+      clients.forEach((client) => {
+        printMessage(`${client._id}`, 'data');
+      });
+    }
+  } catch (error) {
+    printMessage(`Error listing scripts - ${error}`, 'error');
+  }
+}
+
+/**
+ * Export OAuth2 client to file
+ * @param {String} id client id
+ * @param {String} file file name
+ */
+export async function exportOAuth2ClientToFile(id, file) {
+  let fileName = getTypedFilename(id, 'oauth2.app');
+  if (file) {
+    fileName = file;
+  }
+  const oauth2Service = (await getOAuth2Provider()).data;
+  const client = (await getOAuth2Client(id)).data;
+  client._provider = oauth2Service;
+  saveToFile('application', [client], '_id', fileName);
+}
+
+/**
+ * Export all OAuth2 clients to file
+ * @param {String} file file name
+ */
+export async function exportOAuth2ClientsToFile(file) {
+  let fileName = getTypedFilename(
+    `all${titleCase(getRealmName(storage.session.getRealm()))}Applications`,
+    'oauth2.app'
+  );
+  if (file) {
+    fileName = file;
+  }
+  const oauth2Service = (await getOAuth2Provider()).data;
+  const clients = (await getOAuth2Clients()).data.result;
+  const exportData = [];
+  for (const client of clients) {
+    client._provider = oauth2Service;
+    exportData.push(client);
+  }
+  saveToFile('application', exportData, '_id', fileName);
+}
+
+/**
+ * Export all OAuth2 clients to separate files
+ */
+export async function exportOAuth2ClientsToFiles() {
+  const oauth2Service = (await getOAuth2Provider()).data;
+  const clients = (await getOAuth2Clients()).data.result;
+  for (const client of clients) {
+    client._provider = oauth2Service;
+    const fileName = getTypedFilename(client._id, 'oauth2.app');
+    saveToFile('application', [client], '_id', fileName);
+  }
+}
+
+/**
+ * Import OAuth2 clients from file
+ * @param {String} file file name
+ */
+export async function importOAuth2ClientsFromFile(file) {
+  fs.readFile(file, 'utf8', (err, data) => {
+    if (err) throw err;
+    const applicationData = JSON.parse(data);
+    if (validateImport(applicationData.meta)) {
+      for (const id in applicationData.application) {
+        if (
+          Object.prototype.hasOwnProperty.call(applicationData.application, id)
+        ) {
+          delete applicationData.application[id]._provider;
+          delete applicationData.application[id]._rev;
+          putOAuth2Client(id, applicationData.application[id]).then(
+            (result) => {
+              if (!result == null) printMessage(`Imported ${id}`);
+            }
+          );
+        }
+      }
+    } else {
+      printMessage('Import validation failed...', 'error');
+    }
+  });
+}

package/src/ops/OrganizationOps.js

@@ -0,0 +1,85 @@
+import { queryAllManagedObjectsByType } from '../api/IdmConfigApi.js';
+import storage from '../storage/SessionStorage.js';
+import { printMessage } from './utils/Console.js';
+
+/**
+ * Get organization managed object type
+ * @returns {String} organization managed object type in this realm
+ */
+export function getRealmManagedOrganization() {
+  let realmManagedOrg = 'organization';
+  if (
+    storage.session.getDeploymentType() === global.CLOUD_DEPLOYMENT_TYPE_KEY
+  ) {
+    realmManagedOrg = `${storage.session.getRealm()}_organization`;
+  }
+  return realmManagedOrg;
+}
+
+/**
+ * Get organizations
+ * @returns {Promise} promise resolving to an object containing an array of organization objects
+ */
+export async function getOrganizations() {
+  const orgs = [];
+  let result = {
+    result: [],
+    resultCount: 0,
+    pagedResultsCookie: null,
+    totalPagedResultsPolicy: 'NONE',
+    totalPagedResults: -1,
+    remainingPagedResults: -1,
+  };
+  try {
+    do {
+      // eslint-disable-next-line no-await-in-loop
+      result = await queryAllManagedObjectsByType(
+        getRealmManagedOrganization(),
+        ['name', 'parent/*/name', 'children/*/name'],
+        result.pagedResultsCookie
+      ).catch((queryAllManagedObjectsByTypeError) => {
+        printMessage(queryAllManagedObjectsByTypeError, 'error');
+        printMessage(
+          `Error querying ${getRealmManagedOrganization()} objects: ${queryAllManagedObjectsByTypeError}`,
+          'error'
+        );
+      });
+      orgs.concat(result.result);
+      printMessage('.', 'text', false);
+    } while (result.pagedResultsCookie);
+  } catch (error) {
+    printMessage(error.response.data, 'error');
+    printMessage(`Error retrieving all organizations: ${error}`, 'error');
+  }
+  return orgs;
+}
+
+// unfinished work
+export async function listOrganizationsTopDown() {
+  const orgs = [];
+  let result = {
+    result: [],
+    resultCount: 0,
+    pagedResultsCookie: null,
+    totalPagedResultsPolicy: 'NONE',
+    totalPagedResults: -1,
+    remainingPagedResults: -1,
+  };
+  do {
+    // eslint-disable-next-line no-await-in-loop
+    result = await queryAllManagedObjectsByType(
+      getRealmManagedOrganization(),
+      ['name', 'parent/*/name', 'children/*/name'],
+      result.pagedResultsCookie
+    ).catch((queryAllManagedObjectsByTypeError) => {
+      printMessage(queryAllManagedObjectsByTypeError, 'error');
+      printMessage(
+        `Error querying ${getRealmManagedOrganization()} objects: ${queryAllManagedObjectsByTypeError}`,
+        'error'
+      );
+    });
+    orgs.concat(result.result);
+    printMessage('.', 'text', false);
+  } while (result.pagedResultsCookie);
+  return orgs;
+}