public override async Task <Empty> TriggerScimSync(ScimSyncRequest request, ServerCallContext context)
{
SCIMAppSettings setting = await _authDbContext
.SCIMAppSettings
.SingleAsync(s => s.AuthAppId == new Guid(request.AppId));
await _syncHandler.FullSyncAsync(setting.Id);
return(new Empty());
}
private async Task <Gatekeeper.SCIM.Client.Client> GetScimClient(Guid scimAppSettingsId)
{
SCIMAppSettings scimAppSettings = await _authDbContext
.SCIMAppSettings
.AsNoTracking()
.SingleAsync(s => s.Id == scimAppSettingsId);
Gatekeeper.SCIM.Client.Client client = new Gatekeeper.SCIM.Client.Client(
new Uri(scimAppSettings.Endpoint)
);
client.SetAuthToken(scimAppSettings.Credentials);
return(client);
}
public override async Task <AddNewAppReply> AddNewApp(AddNewAppRequest request, ServerCallContext context)
{
AuthApp app = new AuthApp
{
Name = request.Name,
Url = request.Url,
Description = request.Description,
};
_authDbContext.Add(app);
switch (request.HostingType)
{
case HostingType.NonWeb:
app.HostingType = AuthApp.HostingTypeEnum.NON_WEB;
break;
case HostingType.WebGatekeeperProxy:
app.HostingType = AuthApp.HostingTypeEnum.WEB_GATEKEEPER_PROXY;
break;
case HostingType.WebGeneric:
app.HostingType = AuthApp.HostingTypeEnum.WEB_GENERIC;
break;
default:
throw new NotImplementedException("Auth mode is not implemented");
}
switch (request.DirectoryChoice)
{
case AddNewAppRequest.Types.DirectoryChoice.NoneDirectory:
app.DirectoryMethod = AuthApp.DirectoryMethodEnum.NONE;
break;
case AddNewAppRequest.Types.DirectoryChoice.LdapDirectory:
app.DirectoryMethod = AuthApp.DirectoryMethodEnum.LDAP;
break;
case AddNewAppRequest.Types.DirectoryChoice.ScimDirectory:
app.DirectoryMethod = AuthApp.DirectoryMethodEnum.SCIM;
break;
}
switch (request.AuthChoice)
{
case AddNewAppRequest.Types.AuthChoice.LdapAuth:
app.AuthMethod = AuthApp.AuthMethodEnum.LDAP;
break;
case AddNewAppRequest.Types.AuthChoice.OidcAuth:
app.AuthMethod = AuthApp.AuthMethodEnum.OIDC;
break;
}
if (app.AuthMethod == AuthApp.AuthMethodEnum.LDAP || app.DirectoryMethod == AuthApp.DirectoryMethodEnum.LDAP)
{
string assembledBaseDn = "dc=" + app.Id;
string bindUserPassword = _ldapSettingsDataProtector.Protect(_secureRandom.GetRandomString(16));
string bindUser = "******" + assembledBaseDn;
LdapAppSettings ldapAppSettings = new LdapAppSettings
{
AuthApp = app,
UseForAuthentication = (app.AuthMethod == AuthApp.AuthMethodEnum.LDAP),
UseForIdentity = (app.DirectoryMethod == AuthApp.DirectoryMethodEnum.LDAP),
BaseDn = assembledBaseDn,
BindUser = bindUser,
BindUserPassword = bindUserPassword,
};
_authDbContext.Add(ldapAppSettings);
app.LdapAppSettings = ldapAppSettings;
}
if (app.HostingType == AuthApp.HostingTypeEnum.WEB_GATEKEEPER_PROXY)
{
ProxyAppSettings proxyAppSettings = new ProxyAppSettings
{
AuthApp = app,
InternalHostname = request.ProxySetting.InternalHostname,
PublicHostname = request.ProxySetting.PublicHostname,
};
_authDbContext.Add(proxyAppSettings);
app.ProxyAppSettings = proxyAppSettings;
_configurationProvider.TryGet("tls.acme.support", out string isAcmeSupported);
if (isAcmeSupported == "true")
{
// FIXME: Passing an empty email is a hack here. The email is already passed in InstallService. Could be refactored.
BackgroundJob.Enqueue <IRequestAcmeCertificateJob>(job => job.Request("", request.ProxySetting.PublicHostname));
}
}
if (app.AuthMethod == AuthApp.AuthMethodEnum.OIDC)
{
OIDCAppSettings oidcAppSettings = new OIDCAppSettings
{
RedirectUrl = request.OidcSetting.RedirectUri,
AuthApp = app,
ClientId = Guid.NewGuid().ToString(),
ClientSecret = _secureRandom.GetRandomString(32),
Audience = "FIX_ME",
};
_authDbContext.Add(oidcAppSettings);
app.OidcAppSettings = oidcAppSettings;
}
if (app.DirectoryMethod == AuthApp.DirectoryMethodEnum.SCIM)
{
SCIMAppSettings scimAppSettings = new SCIMAppSettings
{
AuthApp = app,
Endpoint = request.ScimSetting.Endpoint,
Credentials = request.ScimSetting.Credentials,
};
_authDbContext.Add(scimAppSettings);
app.ScimAppSettings = scimAppSettings;
}
foreach (string groupId in request.GroupIds)
{
Guid groupIdGuid = new Guid(groupId);
UserGroup group = await _authDbContext.UserGroup
.Include(g => g.AuthApps)
.SingleAsync(g => g.Id == groupIdGuid);
group.AuthApps.Add(app);
}
await _authDbContext.SaveChangesAsync();
// fixme: this should be done outside a service
await _memoryPopulator.PopulateFromDatabase();
return(new AddNewAppReply
{
Success = true,
});
}
public async Task FullSyncAsync(Guid scimAppSettingsId)
{
SCIMAppSettings scimAppSettings = await _authDbContext
.SCIMAppSettings
.Include(u => u.AuthApp)
.ThenInclude(a => a.UserGroups)
.ThenInclude(g => g.Members)
.SingleAsync(s => s.Id == scimAppSettingsId);
Gatekeeper.SCIM.Client.Client client = new Gatekeeper.SCIM.Client.Client(new Uri(scimAppSettings.Endpoint));
client.SetAuthToken(scimAppSettings.Credentials);
// Create a dictionary of all permitted users
HashSet <Guid> allAppUsers = new HashSet <Guid>();
foreach (UserGroup group in scimAppSettings.AuthApp.UserGroups)
{
foreach (AppUser member in group.Members)
{
allAppUsers.Add(member.Id);
}
}
// Read SCIM states
List <ScimUserSyncState> userSyncStates = await _authDbContext
.ScimUserSyncStates
.Include(s => s.User)
.Where(s => s.SCIMAppSettings == scimAppSettings)
.ToListAsync();
// Update users
foreach (Guid userId in allAppUsers)
{
BackgroundJob.Enqueue((ISyncHandler syncHandler) => syncHandler.SyncUserAsync(userId, scimAppSettingsId));
}
// Remove users
List <ScimUserSyncState> usersToRemove = userSyncStates
.Where(s => !allAppUsers.Contains(s.User.Id))
.ToList();
foreach (ScimUserSyncState syncState in usersToRemove)
{
BackgroundJob.Enqueue((ISyncHandler syncHandler) => syncHandler.UnsyncUserAsync(syncState.User.Id, scimAppSettingsId));
}
// Read scim states
List <ScimGroupSyncState> groupSyncStates = await _authDbContext
.ScimGroupSyncStates
.Include(s => s.UserGroup)
.Where(s => s.SCIMAppSettings == scimAppSettings)
.ToListAsync();
// Update groups
foreach (UserGroup group in scimAppSettings.AuthApp.UserGroups)
{
BackgroundJob.Enqueue((ISyncHandler syncHandler) => syncHandler.SyncGroupAsync(group.Id, scimAppSettingsId));
}
// Remove groups
List <ScimGroupSyncState> groupsToRemove = groupSyncStates
.Where(s => !scimAppSettings.AuthApp.UserGroups.Contains(s.UserGroup))
.ToList();
foreach (ScimGroupSyncState syncState in groupsToRemove)
{
BackgroundJob.Enqueue((ISyncHandler syncHandler) => syncHandler.UnsyncGroupAsync(syncState.UserGroup.Id, scimAppSettingsId));
}
}
