-
Notifications
You must be signed in to change notification settings - Fork 361
/
Copy pathuaa_client_manager.rb
120 lines (98 loc) · 3.5 KB
/
uaa_client_manager.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
require 'uaa'
module VCAP::Services::SSO::UAA
class UaaClientManager
ROUTER_404_KEY = 'X-Cf-Routererror'.freeze
ROUTER_404_VALUE = 'unknown_route'.freeze
def initialize(opts={})
@opts = opts
@uaa_client = create_uaa_client
end
def get_clients(client_ids)
@uaa_client.get_clients(client_ids)
end
def modify_transaction(changeset)
return if changeset.empty?
uri = URI("#{uaa_target}/oauth/clients/tx/modify")
request_body = batch_request(changeset)
request = Net::HTTP::Post.new(uri.path)
request.body = request_body.to_json
request.content_type = 'application/json'
request['Authorization'] = uaa_client.token_info.auth_header
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = uaa_ca_file
http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
logger.info("POST UAA transaction: #{uri} - #{scrub(request_body).to_json}")
response = http.request(request)
case response.code.to_i
when 200..299
nil
when 400
log_bad_uaa_response(response)
raise VCAP::CloudController::UaaResourceInvalid.new
when 404
log_bad_uaa_response(response)
raise VCAP::CloudController::UaaUnavailable.new if response[ROUTER_404_KEY] == ROUTER_404_VALUE
raise VCAP::CloudController::UaaResourceNotFound.new
when 409
log_bad_uaa_response(response)
raise VCAP::CloudController::UaaResourceAlreadyExists.new
else
log_bad_uaa_response(response)
raise VCAP::CloudController::UaaUnexpectedResponse.new
end
end
private
attr_reader :uaa_client
def log_bad_uaa_response(response)
logger.error("UAA request failed with code: #{response.code} - #{response.inspect}")
end
def scrub(transaction_body)
transaction_body.map do |client_request|
client_request.delete(:client_secret)
client_request
end
end
def batch_request(changeset)
changeset.map do |change|
client_info = sso_client_info(change.client_attrs)
client_info.merge(change.uaa_command)
end
end
def sso_client_info(client_attrs)
{
client_id: client_attrs['id'],
client_secret: client_attrs['secret'],
redirect_uri: client_attrs['redirect_uri'],
scope: filter_uaa_client_scope,
authorities: ['uaa.resource'],
authorized_grant_types: ['authorization_code']
}
end
def logger
@logger ||= Steno.logger('cc.uaa_client_manager')
end
def filter_uaa_client_scope
configured_scope = VCAP::CloudController::Config.config.get(:uaa_client_scope).split(',')
configured_scope.select do |val|
['cloud_controller.write', 'openid', 'cloud_controller.read', 'cloud_controller_service_permissions.read'].include?(val)
end
end
def create_uaa_client
VCAP::CloudController::UaaClient.new(
uaa_target: uaa_target,
client_id: VCAP::CloudController::Config.config.get(:uaa_client_name),
secret: VCAP::CloudController::Config.config.get(:uaa_client_secret),
ca_file: uaa_ca_file
)
end
def uaa_ca_file
VCAP::CloudController::Config.config.get(:uaa, :ca_file)
end
def uaa_target
VCAP::CloudController::Config.config.get(:uaa, :internal_url)
end
end
end