Skip to content
This repository was archived by the owner on Feb 13, 2024. It is now read-only.

Enhancement of role collection assignment with custom IdP #468

Merged
merged 1 commit into from
Mar 28, 2023
Merged

Enhancement of role collection assignment with custom IdP #468

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions config/templates/libs/BTPSA-USECASE.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,24 @@
"description": "user groups to be assigned from the parameter file",
"title": "user groups from parameter file"
},
"attribute": {
"type": "string",
"description": "the name of the attribute. To be found in the identity provider.",
"title": "attribute name (custom IdP)",
"default": null
},
"attributeValue": {
"type": "string",
"description": "the value of the attribute. To be found in the identity provider.",
"title": "attribute value (custom IdP)",
"default": null
},
"group":{
"type": "string",
"description": "the name of the user group. To be found in the identity provider.",
"title": "group name (custom IdP)",
"default": null
},
"idp":{
"type": "string",
"description": "the identity provider that hosts the user. ",
Expand Down Expand Up @@ -302,6 +320,24 @@
"description": "list of user groups to assign the role collection",
"title": "list of user groups to assign the role collection"
},
"attribute": {
"type": "string",
"description": "the name of the attribute. To be found in the identity provider.",
"title": "attribute name (custom IdP)",
"default": null
},
"attributeValue": {
"type": "string",
"description": "the value of the attribute. To be found in the identity provider.",
"title": "attribute value (custom IdP)",
"default": null
},
"group":{
"type": "string",
"description": "the name of the user group. To be found in the identity provider.",
"title": "group name (custom IdP)",
"default": null
},
"idp":{
"type": "string",
"description": "the identity provider that hosts the user. ",
Expand Down
36 changes: 36 additions & 0 deletions libs/btpsa-usecase.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,24 @@
"description": "user groups to be assigned from the parameter file",
"title": "user groups from parameter file"
},
"attribute": {
"type": "string",
"description": "the name of the attribute. To be found in the identity provider.",
"title": "attribute name (custom IdP)",
"default": null
},
"attributeValue": {
"type": "string",
"description": "the value of the attribute. To be found in the identity provider.",
"title": "attribute value (custom IdP)",
"default": null
},
"group":{
"type": "string",
"description": "the name of the user group. To be found in the identity provider.",
"title": "group name (custom IdP)",
"default": null
},
"idp":{
"type": "string",
"description": "the identity provider that hosts the user. ",
Expand Down Expand Up @@ -288,6 +306,24 @@
"description": "list of user groups to assign the role collection",
"title": "list of user groups to assign the role collection"
},
"attribute": {
"type": "string",
"description": "the name of the attribute. To be found in the identity provider.",
"title": "attribute name (custom IdP)",
"default": null
},
"attributeValue": {
"type": "string",
"description": "the value of the attribute. To be found in the identity provider.",
"title": "attribute value (custom IdP)",
"default": null
},
"group":{
"type": "string",
"description": "the name of the user group. To be found in the identity provider.",
"title": "group name (custom IdP)",
"default": null
},
"idp":{
"type": "string",
"description": "the identity provider that hosts the user. ",
Expand Down
140 changes: 140 additions & 0 deletions libs/python/helperRolesAndUsers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
from libs.python.helperCommandExecution import login_cf
from libs.python.helperJson import getJsonFromFile
import logging
import sys
import os

log = logging.getLogger(__name__)

Expand Down Expand Up @@ -119,6 +121,32 @@ def assignUsergroupsToRoleCollection(btpUsecase, rolecollection):
)
if idp is not None:
command += " --of-idp '" + idp + "'"

# Additional mapping for custom IdP only relevant if custom IdP is used
(
groupForIdp,
attributeForIdp,
attributeValueForIdp,
) = getCustomIdpMapping(rolecollection)

if isMappingForIdpValid(
groupForIdp, attributeForIdp, attributeValueForIdp
):

if groupForIdp is not None:
command += " --to-group '" + groupForIdp + "'"

if attributeForIdp is not None:
command += " --to-attribute '" + attributeForIdp + "'"
command += (
" --attribute-value '" + attributeValueForIdp + "'"
)
else:
log.error(
"Custom IdP configuration is not valid. Please check."
)
sys.exit(os.EX_DATAERR)

thisResult = runCommandAndGetJsonResult(
btpUsecase, command, "INFO", message
)
Expand Down Expand Up @@ -189,6 +217,32 @@ def assignUsersToGlobalAndSubaccount(btpUsecase):
)
if idp is not None:
command += " --of-idp '" + idp + "'"

# Additional mapping for custom IdP only relevant if custom IdP is used
(
groupForIdp,
attributeForIdp,
attributeValueForIdp,
) = getCustomIdpMapping(rolecollection)

if isMappingForIdpValid(
groupForIdp, attributeForIdp, attributeValueForIdp
):

if groupForIdp is not None:
command += " --to-group '" + groupForIdp + "'"

if attributeForIdp is not None:
command += " --to-attribute '" + attributeForIdp + "'"
command += (
" --attribute-value '" + attributeValueForIdp + "'"
)
else:
log.error(
"Custom IdP configuration is not valid. Please check."
)
sys.exit(os.EX_DATAERR)

runCommandAndGetJsonResult(btpUsecase, command, "INFO", message)

log.header("Set administrators for sub account")
Expand All @@ -215,6 +269,32 @@ def assignUsersToGlobalAndSubaccount(btpUsecase):
)
if idp is not None:
command += " --of-idp '" + idp + "'"

# Additional mapping for custom IdP only relevant if custom IdP is used
(
groupForIdp,
attributeForIdp,
attributeValueForIdp,
) = getCustomIdpMapping(rolecollection)

if isMappingForIdpValid(
groupForIdp, attributeForIdp, attributeValueForIdp
):

if groupForIdp is not None:
command += " --to-group '" + groupForIdp + "'"

if attributeForIdp is not None:
command += " --to-attribute '" + attributeForIdp + "'"
command += (
" --attribute-value '" + attributeValueForIdp + "'"
)
else:
log.error(
"Custom IdP configuration is not valid. Please check."
)
sys.exit(os.EX_DATAERR)

runCommandAndGetJsonResult(btpUsecase, command, "INFO", message)


Expand Down Expand Up @@ -331,6 +411,32 @@ def assignUsersToCustomRoleCollections(btpUsecase):
)
if idp is not None:
command += " --of-idp '" + idp + "'"

# Additional mapping for custom IdP only relevant if custom IdP is used
(
groupForIdp,
attributeForIdp,
attributeValueForIdp,
) = getCustomIdpMapping(rolecollection)

if isMappingForIdpValid(
groupForIdp, attributeForIdp, attributeValueForIdp
):

if groupForIdp is not None:
command += " --to-group '" + groupForIdp + "'"

if attributeForIdp is not None:
command += " --to-attribute '" + attributeForIdp + "'"
command += (
" --attribute-value '" + attributeValueForIdp + "'"
)
else:
log.error(
"Custom IdP configuration is not valid. Please check."
)
sys.exit(os.EX_DATAERR)

runCommandAndGetJsonResult(btpUsecase, command, "INFO", message)


Expand Down Expand Up @@ -380,6 +486,7 @@ def assignUsersToEnvironments(btpUsecase):
)
if idp is not None:
command += " --origin '" + idp + "'"

p = runShellCommandFlex(
btpUsecase, command, "INFO", message, False, False
)
Expand Down Expand Up @@ -438,3 +545,36 @@ def determineIdpForRoleCollection(btpUsecase, rolecollection):
idp = rolecollection.get("idp")

return idp


def getCustomIdpMapping(rolecollection):
groupForIdp = None
attributeForIdp = None
attributeValueForIdp = None

if rolecollection.get("group"):
groupForIdp = rolecollection.get("group")

if rolecollection.get("attribute"):
attributeForIdp = rolecollection.get("attribute")

if rolecollection.get("attributeValue"):
attributeValueForIdp = rolecollection.get("attributeValue")

return groupForIdp, attributeForIdp, attributeValueForIdp


def isMappingForIdpValid(groupForIdp, attributeForIdp, attributeValueForIdp):
if groupForIdp is not None and attributeForIdp is not None:
log.error(
"A group and an attribute is configured for the IdP mapping. Only one is allowed."
)
return False
if (attributeForIdp is None and attributeValueForIdp is not None) or (
attributeForIdp is not None and attributeValueForIdp is None
):
log.error(
"Attribute and attributeValue are both required for the IdP mapping. One is missing."
)
return False
return True