Last active
June 13, 2018 04:03
-
-
Save harmy/1e28fd248fff3c0de037925317252f83 to your computer and use it in GitHub Desktop.
Gluu custom script for scim 2.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # oxTrust is available under the MIT License (2008). See http://opensource.org/licenses/MIT for full text. | |
| # Copyright (c) 2014, Gluu | |
| # | |
| # Author: Jose Gonzalez | |
| # | |
| from org.xdi.model.custom.script.type.scim import ScimType | |
| from org.xdi.util import StringHelper, ArrayHelper | |
| from java.util import Arrays, ArrayList | |
| from org.gluu.oxtrust.ldap.service import GroupService | |
| from org.gluu.oxtrust.ldap.service import PersonService | |
| from org.xdi.service.cdi.util import CdiUtil | |
| from org.gluu.oxtrust.model import GluuCustomPerson | |
| import java | |
| def updateRoleEntitlement(user, forceUpdate=False): | |
| import re | |
| from org.xdi.service.cdi.util import CdiUtil | |
| from org.gluu.oxtrust.ldap.service import GroupService | |
| print 'update RoleEntitlement for user: %s' % user.getUid() | |
| groupService = CdiUtil.bean(GroupService) | |
| groups = [groupService.getGroupByDn(groupDn) for groupDn in user.getMemberOf()] | |
| roleEntitlements = set() | |
| for group in groups: | |
| matched = re.match(r'^(.*)-(\d{12})-(.*)$', group.getDisplayName()) | |
| if not matched: | |
| continue | |
| _, accoundId, role = matched.groups() | |
| print 'found user group: {}, matched accoundId={}, role={}'.format(group.getDisplayName(), accoundId, role) | |
| roleEntitlements.add('arn:aws:iam::%s:role/%s,arn:aws:iam::%s:saml-provider/Shibboleth' % (accoundId, role, accoundId)) | |
| user.setAttribute('RoleEntitlement', list(roleEntitlements)) | |
| print 'set attribute RoleEntitlement = {}'.format(roleEntitlements) | |
| user.setAttribute('RoleSessionName', user.getUid()) | |
| print 'set attribute RoleSessionName = {}'.format(user.getUid()) | |
| if forceUpdate: | |
| personService = CdiUtil.bean(PersonService) | |
| personService.updatePerson(user) | |
| class ScimEventHandler(ScimType): | |
| def __init__(self, currentTimeMillis): | |
| self.currentTimeMillis = currentTimeMillis | |
| def init(self, configurationAttributes): | |
| print "ScimEventHandler (init): Initialized successfully" | |
| return True | |
| def destroy(self, configurationAttributes): | |
| print "ScimEventHandler (destroy): Destroyed successfully" | |
| return True | |
| def getApiVersion(self): | |
| #return 2 if you want the post* scripts being executed | |
| return 2 | |
| def createUser(self, user, configurationAttributes): | |
| print "ScimEventHandler (createUser): Current id = " + user.getUid() | |
| testProp1 = configurationAttributes.get("testProp1").getValue2() | |
| testProp2 = configurationAttributes.get("testProp2").getValue2() | |
| print "ScimEventHandler (createUser): testProp1 = " + testProp1 | |
| print "ScimEventHandler (createUser): testProp2 = " + testProp2 | |
| return True | |
| def updateUser(self, user, configurationAttributes): | |
| personService = CdiUtil.bean(PersonService) | |
| oldUser = personService.getPersonByUid(user.getUid()) | |
| print "ScimEventHandler (updateUser): Old displayName %s" % oldUser.getDisplayName() | |
| print "ScimEventHandler (updateUser): New displayName " + user.getDisplayName() | |
| return True | |
| def deleteUser(self, user, configurationAttributes): | |
| print "ScimEventHandler (deleteUser): Current id = " + user.getUid() | |
| return True | |
| def createGroup(self, group, configurationAttributes): | |
| print "ScimEventHandler (createGroup): Current displayName = " + group.getDisplayName() | |
| return True | |
| def updateGroup(self, group, configurationAttributes): | |
| print "ScimEventHandler (updateGroup): Current displayName = " + group.getDisplayName() | |
| groupService = CdiUtil.bean(GroupService) | |
| oldGroup = groupService.getGroupByDisplayName(group.getDisplayName()) | |
| oldGroupMembers = set(oldGroup.getMembers() or []) | |
| newGroupMembers = set(group.getMembers()) | |
| self.diffMembers = oldGroupMembers.difference(newGroupMembers) or newGroupMembers.difference(oldGroupMembers) | |
| return True | |
| def deleteGroup(self, group, configurationAttributes): | |
| print "ScimEventHandler (deleteGroup): Current displayName = " + group.getDisplayName() | |
| return True | |
| def postCreateUser(self, user, configurationAttributes): | |
| return True | |
| def postUpdateUser(self, user, configurationAttributes): | |
| return True | |
| def postDeleteUser(self, user, configurationAttributes): | |
| return True | |
| def postUpdateGroup(self, group, configurationAttributes): | |
| print "ScimEventHandler (postUpdateGroup): Current displayName = " + group.getDisplayName() | |
| personService = CdiUtil.bean(PersonService) | |
| for userDn in self.diffMembers: | |
| user = personService.getPersonByDn(userDn) | |
| updateRoleEntitlement(user, True) | |
| return True | |
| def postCreateGroup(self, group, configurationAttributes): | |
| return True | |
| def postDeleteGroup(self, group, configurationAttributes): | |
| personService = CdiUtil.bean(PersonService) | |
| for userDn in group.getMembers(): | |
| user = personService.getPersonByDn(userDn) | |
| updateRoleEntitlement(user, True) | |
| return True |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment