public override async Task <Empty> TriggerScimSync(ScimSyncRequest request, ServerCallContext context) { SCIMAppSettings setting = await _authDbContext .SCIMAppSettings .SingleAsync(s => s.AuthAppId == new Guid(request.AppId)); await _syncHandler.FullSyncAsync(setting.Id); return(new Empty()); }
private async Task <Gatekeeper.SCIM.Client.Client> GetScimClient(Guid scimAppSettingsId) { SCIMAppSettings scimAppSettings = await _authDbContext .SCIMAppSettings .AsNoTracking() .SingleAsync(s => s.Id == scimAppSettingsId); Gatekeeper.SCIM.Client.Client client = new Gatekeeper.SCIM.Client.Client( new Uri(scimAppSettings.Endpoint) ); client.SetAuthToken(scimAppSettings.Credentials); return(client); }
public override async Task <AddNewAppReply> AddNewApp(AddNewAppRequest request, ServerCallContext context) { AuthApp app = new AuthApp { Name = request.Name, Url = request.Url, Description = request.Description, }; _authDbContext.Add(app); switch (request.HostingType) { case HostingType.NonWeb: app.HostingType = AuthApp.HostingTypeEnum.NON_WEB; break; case HostingType.WebGatekeeperProxy: app.HostingType = AuthApp.HostingTypeEnum.WEB_GATEKEEPER_PROXY; break; case HostingType.WebGeneric: app.HostingType = AuthApp.HostingTypeEnum.WEB_GENERIC; break; default: throw new NotImplementedException("Auth mode is not implemented"); } switch (request.DirectoryChoice) { case AddNewAppRequest.Types.DirectoryChoice.NoneDirectory: app.DirectoryMethod = AuthApp.DirectoryMethodEnum.NONE; break; case AddNewAppRequest.Types.DirectoryChoice.LdapDirectory: app.DirectoryMethod = AuthApp.DirectoryMethodEnum.LDAP; break; case AddNewAppRequest.Types.DirectoryChoice.ScimDirectory: app.DirectoryMethod = AuthApp.DirectoryMethodEnum.SCIM; break; } switch (request.AuthChoice) { case AddNewAppRequest.Types.AuthChoice.LdapAuth: app.AuthMethod = AuthApp.AuthMethodEnum.LDAP; break; case AddNewAppRequest.Types.AuthChoice.OidcAuth: app.AuthMethod = AuthApp.AuthMethodEnum.OIDC; break; } if (app.AuthMethod == AuthApp.AuthMethodEnum.LDAP || app.DirectoryMethod == AuthApp.DirectoryMethodEnum.LDAP) { string assembledBaseDn = "dc=" + app.Id; string bindUserPassword = _ldapSettingsDataProtector.Protect(_secureRandom.GetRandomString(16)); string bindUser = "******" + assembledBaseDn; LdapAppSettings ldapAppSettings = new LdapAppSettings { AuthApp = app, UseForAuthentication = (app.AuthMethod == AuthApp.AuthMethodEnum.LDAP), UseForIdentity = (app.DirectoryMethod == AuthApp.DirectoryMethodEnum.LDAP), BaseDn = assembledBaseDn, BindUser = bindUser, BindUserPassword = bindUserPassword, }; _authDbContext.Add(ldapAppSettings); app.LdapAppSettings = ldapAppSettings; } if (app.HostingType == AuthApp.HostingTypeEnum.WEB_GATEKEEPER_PROXY) { ProxyAppSettings proxyAppSettings = new ProxyAppSettings { AuthApp = app, InternalHostname = request.ProxySetting.InternalHostname, PublicHostname = request.ProxySetting.PublicHostname, }; _authDbContext.Add(proxyAppSettings); app.ProxyAppSettings = proxyAppSettings; _configurationProvider.TryGet("tls.acme.support", out string isAcmeSupported); if (isAcmeSupported == "true") { // FIXME: Passing an empty email is a hack here. The email is already passed in InstallService. Could be refactored. BackgroundJob.Enqueue <IRequestAcmeCertificateJob>(job => job.Request("", request.ProxySetting.PublicHostname)); } } if (app.AuthMethod == AuthApp.AuthMethodEnum.OIDC) { OIDCAppSettings oidcAppSettings = new OIDCAppSettings { RedirectUrl = request.OidcSetting.RedirectUri, AuthApp = app, ClientId = Guid.NewGuid().ToString(), ClientSecret = _secureRandom.GetRandomString(32), Audience = "FIX_ME", }; _authDbContext.Add(oidcAppSettings); app.OidcAppSettings = oidcAppSettings; } if (app.DirectoryMethod == AuthApp.DirectoryMethodEnum.SCIM) { SCIMAppSettings scimAppSettings = new SCIMAppSettings { AuthApp = app, Endpoint = request.ScimSetting.Endpoint, Credentials = request.ScimSetting.Credentials, }; _authDbContext.Add(scimAppSettings); app.ScimAppSettings = scimAppSettings; } foreach (string groupId in request.GroupIds) { Guid groupIdGuid = new Guid(groupId); UserGroup group = await _authDbContext.UserGroup .Include(g => g.AuthApps) .SingleAsync(g => g.Id == groupIdGuid); group.AuthApps.Add(app); } await _authDbContext.SaveChangesAsync(); // fixme: this should be done outside a service await _memoryPopulator.PopulateFromDatabase(); return(new AddNewAppReply { Success = true, }); }
public async Task FullSyncAsync(Guid scimAppSettingsId) { SCIMAppSettings scimAppSettings = await _authDbContext .SCIMAppSettings .Include(u => u.AuthApp) .ThenInclude(a => a.UserGroups) .ThenInclude(g => g.Members) .SingleAsync(s => s.Id == scimAppSettingsId); Gatekeeper.SCIM.Client.Client client = new Gatekeeper.SCIM.Client.Client(new Uri(scimAppSettings.Endpoint)); client.SetAuthToken(scimAppSettings.Credentials); // Create a dictionary of all permitted users HashSet <Guid> allAppUsers = new HashSet <Guid>(); foreach (UserGroup group in scimAppSettings.AuthApp.UserGroups) { foreach (AppUser member in group.Members) { allAppUsers.Add(member.Id); } } // Read SCIM states List <ScimUserSyncState> userSyncStates = await _authDbContext .ScimUserSyncStates .Include(s => s.User) .Where(s => s.SCIMAppSettings == scimAppSettings) .ToListAsync(); // Update users foreach (Guid userId in allAppUsers) { BackgroundJob.Enqueue((ISyncHandler syncHandler) => syncHandler.SyncUserAsync(userId, scimAppSettingsId)); } // Remove users List <ScimUserSyncState> usersToRemove = userSyncStates .Where(s => !allAppUsers.Contains(s.User.Id)) .ToList(); foreach (ScimUserSyncState syncState in usersToRemove) { BackgroundJob.Enqueue((ISyncHandler syncHandler) => syncHandler.UnsyncUserAsync(syncState.User.Id, scimAppSettingsId)); } // Read scim states List <ScimGroupSyncState> groupSyncStates = await _authDbContext .ScimGroupSyncStates .Include(s => s.UserGroup) .Where(s => s.SCIMAppSettings == scimAppSettings) .ToListAsync(); // Update groups foreach (UserGroup group in scimAppSettings.AuthApp.UserGroups) { BackgroundJob.Enqueue((ISyncHandler syncHandler) => syncHandler.SyncGroupAsync(group.Id, scimAppSettingsId)); } // Remove groups List <ScimGroupSyncState> groupsToRemove = groupSyncStates .Where(s => !scimAppSettings.AuthApp.UserGroups.Contains(s.UserGroup)) .ToList(); foreach (ScimGroupSyncState syncState in groupsToRemove) { BackgroundJob.Enqueue((ISyncHandler syncHandler) => syncHandler.UnsyncGroupAsync(syncState.UserGroup.Id, scimAppSettingsId)); } }