Group and User updates to work around offline issues (#904)

Author: CarolynRountree

core/src/main/python/wlsdeploy/aliases/model_constants.py

@@ -95,6 +95,7 @@
 DEFAULT_WLS_DOMAIN_NAME = 'base_domain'
 DELIVERY_FAILURE_PARAMS = 'DeliveryFailureParams'
 DELIVERY_PARAMS_OVERRIDES = 'DeliveryParamsOverrides'
+DESCRIPTION = 'Description'
 DESTINATION_KEY = 'DestinationKey'
 DIRECTORY = 'Directory'
 DISTRIBUTED_QUEUE = 'DistributedQueue'
@@ -127,6 +128,7 @@
 FOREIGN_SERVER = 'ForeignServer'
 GROUP = 'Group'
 GROUP_PARAMS = 'GroupParams'
+GROUP_MEMBER_OF = 'GroupMemberOf'
 GLOBAL_VARIABLE_SUBSTITUTION = 'VariableSubstitution'
 HARVESTED_TYPE = 'HarvestedType'
 HARVESTER = 'Harvester'
@@ -315,6 +317,7 @@
 WLDF_SYSTEM_RESOURCE = "WLDFSystemResource"
 WLS_ROLES = "WLSRoles"
 WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS = 'WLSUserPasswordCredentialMappings'
+WLS_DEFAULT_AUTHENTICATION = 'WLSDefaultAuthentication'
 WS_RELIABLE_DELIVERY_POLICY = 'WSReliableDeliveryPolicy'
 WTC_SERVER = 'WTCServer'
 XACML_AUTHORIZER = 'XACMLAuthorizer'

core/src/main/python/wlsdeploy/tool/create/domain_creator.py

@@ -69,6 +69,7 @@
 from wlsdeploy.aliases.model_constants import USER
 from wlsdeploy.aliases.model_constants import VIRTUAL_TARGET
 from wlsdeploy.aliases.model_constants import WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS
+from wlsdeploy.aliases.model_constants import WLS_DEFAULT_AUTHENTICATION
 from wlsdeploy.aliases.model_constants import WS_RELIABLE_DELIVERY_POLICY
 from wlsdeploy.aliases.model_constants import XML_ENTITY_CACHE
 from wlsdeploy.aliases.model_constants import XML_REGISTRY
@@ -83,6 +84,7 @@
 from wlsdeploy.tool.deploy import model_deployer
 from wlsdeploy.tool.util.archive_helper import ArchiveHelper
 from wlsdeploy.tool.util.credential_map_helper import CredentialMapHelper
+from wlsdeploy.tool.util.default_authenticator_helper import DefaultAuthenticatorHelper
 from wlsdeploy.tool.util.library_helper import LibraryHelper
 from wlsdeploy.tool.util.rcu_helper import RCUHelper
 from wlsdeploy.tool.util.target_helper import TargetHelper
@@ -544,8 +546,6 @@ def __extend_domain_with_select_template(self, domain_home):
  self.__configure_fmw_infra_database()
  self.__configure_opss_secrets()
  topology_folder_list = self.aliases.get_model_topology_top_level_folder_names()
-
- self.__create_security_folder()
  topology_folder_list.remove(SECURITY)
 
  resources_dict = self.model.get_model_resources()
@@ -577,6 +577,10 @@ def __extend_domain_with_select_template(self, domain_home):
  self.logger.info('WLSDPLY-12206', self._domain_name, domain_home,
  class_name=self.__class_name, method_name=_method_name)
  self.wlst_helper.read_domain(domain_home)
+
+ print '******* create security folder'
+ self.__create_security_folder()
+
  self.logger.exiting(class_name=self.__class_name, method_name=_method_name)
  return
 
@@ -688,20 +692,17 @@ def __create_mbeans_used_by_topology_mbeans(self, topology_folder_list):
 
  def __create_security_folder(self):
  """
- Create the /Security folder objects, if any.
+ Create the the security objects if any. The security information
+ from the model will be writting to the DefaultAuthenticatorInit.ldift file
  :raises: CreateException: if an error occurs
  """
  _method_name = '__create_security_folder'
-
- location = LocationContext()
- domain_name_token = self.aliases.get_name_token(location)
- location.add_name_token(domain_name_token, self._domain_name)
- self.logger.entering(str(location), class_name=self.__class_name, method_name=_method_name)
- security_nodes = dictionary_utils.get_dictionary_element(self._topology, SECURITY)
- if len(security_nodes) > 0:
- self._create_mbean(SECURITY, security_nodes, location)
+ self.logger.entering(class_name=self.__class_name, method_name=_method_name)
+ security_folder = dictionary_utils.get_dictionary_element(self._topology, SECURITY)
+ if security_folder is not None:
+ helper = DefaultAuthenticatorHelper(self.model_context, ExceptionType.CREATE)
+ helper.create_default_init_file(security_folder)
  self.logger.exiting(class_name=self.__class_name, method_name=_method_name)
- return
 
  def __create_log_filters(self, location):
  """

core/src/main/python/wlsdeploy/tool/util/default_authenticator_helper.py

@@ -0,0 +1,173 @@
+"""
+Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+"""
+import com.bea.common.security.utils.encoders.BASE64Encoder as BASE64Encoder
+import com.bea.security.xacml.cache.resource.ResourcePolicyIdUtil as ResourcePolicyIdUtil
+from java.io import File
+from java.lang import String
+
+import oracle.weblogic.deploy.aliases.TypeUtils as TypeUtils
+
+from wlsdeploy.aliases.model_constants import DESCRIPTION
+from wlsdeploy.aliases.model_constants import GROUP
+from wlsdeploy.aliases.model_constants import GROUP_MEMBER_OF
+from wlsdeploy.aliases.model_constants import PASSWORD
+from wlsdeploy.aliases.model_constants import USER
+from wlsdeploy.exception import exception_helper
+from wlsdeploy.logging.platform_logger import PlatformLogger
+from wlsdeploy.tool.util.targets import file_template_helper
+from wlsdeploy.util import dictionary_utils
+from wlsdeploy.util.weblogic_helper import WebLogicHelper
+
+TEMPLATE_PATH = 'oracle/weblogic/deploy/security'
+DEFAULT_AUTH_INIT_FILE = 'DefaultAuthenticatorInit.ldift'
+SECURITY_SUBDIR = 'security'
+GROUP_MAPPINGS = 'group'
+USER_MAPPINGS = 'user'
+
+# template hash constants
+HASH_NAME = 'name'
+HASH_DESCRIPTION = 'description'
+HASH_GROUPS = 'groups'
+HASH_GROUP = 'groupMemberOf'
+HASH_USER_PASSWORD = 'password'
+
+
+class DefaultAuthenticatorHelper(object):
+ """
+ This class is used to write the Security Group and User data into the ldift file. The reason is
+ that there are several issues that are broken in offline, while they work in online. This works
+ around these problems.
+ """
+ _class_name = 'DefaultAuthenticatorHelper'
+
+ def __init__(self, model_context, exception_type):
+ self._model_context = model_context
+ self._exception_type = exception_type
+ self._logger = PlatformLogger('wlsdeploy.tool.util')
+ self._weblogic_helper = WebLogicHelper(self._logger)
+ self._resource_escaper = ResourcePolicyIdUtil.getEscaper()
+ self._b64_encoder = BASE64Encoder()
+
+ def create_default_init_file(self, security_mapping_nodes):
+ """
+ Use the security information to write user/groups to the DefaultAuthenticatorInit.ldift file.
+ This file must exist before writing the data. Build a hash map from the model data and
+ append to the file using the template file for structure.
+ :param security_mapping_nodes: the Security elements from the model
+ """
+ _method_name = 'create_default_init_file'
+
+ template_hash = self._build_default_template_hash(security_mapping_nodes)
+ template_path = TEMPLATE_PATH + '/' + DEFAULT_AUTH_INIT_FILE
+
+ output_dir = File(self._model_context.get_domain_home(), SECURITY_SUBDIR)
+ output_file = File(output_dir, DEFAULT_AUTH_INIT_FILE)
+
+ self._logger.info('WLSDPLY-01900', output_file, class_name=self._class_name, method_name=_method_name)
+
+ file_template_helper.append_file_from_resource(template_path, template_hash, output_file, self._exception_type)
+
+ def _build_default_template_hash(self, mapping_section_nodes):
+ """
+ Create a dictionary of substitution values to apply to the default authenticator template.
+ :param mapping_section_nodes: the security elements from the model
+ :return: the template hash dictionary
+ """
+ template_hash = dict()
+
+ group_mappings = []
+ user_mappings = []
+
+ if GROUP in mapping_section_nodes.keys():
+ group_mapping_nodes = mapping_section_nodes[GROUP]
+ for name in group_mapping_nodes:
+ mapping_hash = self._build_group_mapping_hash(group_mapping_nodes[name], name)
+ group_mappings.append(mapping_hash)
+ if USER in mapping_section_nodes.keys():
+ user_mapping_nodes = mapping_section_nodes[USER]
+ for name in user_mapping_nodes:
+ mapping_hash = self._build_user_mapping_hash(user_mapping_nodes[name], name)
+ user_mappings.append(mapping_hash)
+
+ template_hash[GROUP_MAPPINGS] = group_mappings
+ template_hash[USER_MAPPINGS] = user_mappings
+ print '****** template hash ', template_hash
+ return template_hash
+
+ def _build_group_mapping_hash(self, group_mapping_section, name):
+ """
+ Build a template hash for the specified mapping element from the model.
+ :param group_mapping_section: the security group entry from the model
+ :param name: The name of the group
+ :return: the template hash
+ """
+ hash_entry = dict()
+ hash_entry[HASH_NAME] = name
+ group_attributes = group_mapping_section
+ description = dictionary_utils.get_element(group_attributes, DESCRIPTION)
+ hash_entry[HASH_DESCRIPTION] = description
+ groups = dictionary_utils.get_element(group_attributes, GROUP_MEMBER_OF)
+ group_list = []
+ group_mappings = list()
+ if groups is not None:
+ group_list = TypeUtils.convertToType('list', groups)
+ for group in group_list:
+ group_mappings.append({HASH_GROUP: group})
+ hash_entry[HASH_GROUPS] = group_mappings
+ else:
+ hash_entry[HASH_GROUPS] = group_list
+
+ return hash_entry
+
+ def _build_user_mapping_hash(self, user_mapping_section, name):
+ """
+ Build a template hash map from the security user data from the model.
+ This includes encoding the required password.
+ :param user_mapping_section: The security user section from the model
+ :param name: name of the user for the user section
+ :return: template hash map
+ """
+ hash_entry = dict()
+ hash_entry[HASH_NAME] = name
+ group_attributes = user_mapping_section
+ description = dictionary_utils.get_element(group_attributes, DESCRIPTION)
+ hash_entry[HASH_DESCRIPTION] = description
+ groups = dictionary_utils.get_element(group_attributes, GROUP_MEMBER_OF)
+ password = self._get_required_attribute(user_mapping_section, PASSWORD, USER, name)
+ encrypted = self._weblogic_helper.encrypt(password, self._model_context.get_domain_home())
+ password_encoded = self._b64_encoder.encodeBuffer(String(encrypted).getBytes("UTF-8"))
+ hash_entry[HASH_USER_PASSWORD] = password_encoded
+ group_list = []
+ group_mappings = list()
+ if groups is not None:
+ group_list = TypeUtils.convertToType('list', groups)
+ for group in group_list:
+ group_mappings.append({HASH_GROUP: group})
+ hash_entry[HASH_GROUPS] = group_mappings
+ else:
+ hash_entry[HASH_GROUPS] = group_list
+
+ return hash_entry
+
+ def _get_required_attribute(self, dictionary, name, mapping_type, mapping_name):
+ """
+ Return the value of the specified attribute from the specified dictionary.
+ Log and throw an exception if the attribute is not found.
+ :param dictionary: the dictionary to be checked
+ :param name: the name of the attribute to find
+ :param mapping_type: the type of the mapping, such as 'CrossDomain'
+ :param mapping_name: the mapping name from the model, such as 'map1'
+ :return: the value of the attribute
+ :raises: Tool type exception: if an the attribute is not found
+ """
+ _method_name = '_get_required_attribute'
+
+ result = dictionary_utils.get_element(dictionary, name)
+ if result is None:
+ pwe = exception_helper.create_exception(self._exception_type, '-01791', name, mapping_type,
+ mapping_name)
+ self._logger.throwing(class_name=self._class_name, method_name=_method_name, error=pwe)
+ raise pwe
+ return result

core/src/main/python/wlsdeploy/tool/util/targets/file_template_helper.py

@@ -44,6 +44,26 @@ def create_file_from_resource(resource_path, template_hash, output_file, excepti
  _create_file_from_stream(template_stream, template_hash, output_file)
 
 
+def append_file_from_resource(resource_path, template_hash, output_file, exception_type):
+ """
+ Read the template from the resource stream, perform any substitutions,
+ and write it to the output file.
+ :param resource_path: the resource path of the source template
+ :param template_hash: a dictionary of substitution values
+ :param output_file: the file to write
+ :param exception_type: the type of exception to throw if needed
+ """
+ _method_name = 'append_file_from_resource'
+
+ template_stream = FileUtils.getResourceAsStream(resource_path)
+ if template_stream is None:
+ ex = exception_helper.create_exception(exception_type, 'WLSDPLY-01661', resource_path)
+ __logger.throwing(ex, class_name=__class_name, method_name=_method_name)
+ raise ex
+ FileUtils.validateExistingFile(output_file)
+ _create_file_from_stream(template_stream, template_hash, output_file, 'a')
+
+
 def create_file_from_file(file_path, template_hash, output_file, exception_type):
  """
  Read the template from the template file, perform any substitutions,
@@ -65,9 +85,9 @@ def create_file_from_file(file_path, template_hash, output_file, exception_type)
  raise ex
 
 
-def _create_file_from_stream(template_stream, template_hash, output_file):
+def _create_file_from_stream(template_stream, template_hash, output_file, write_access='w'):
  template_reader = BufferedReader(InputStreamReader(template_stream))
- file_writer = open(output_file.getPath(), "w")
+ file_writer = open(output_file.getPath(), write_access)
 
  block_key = None
  block_lines = []

core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/Security.json

@@ -10,6 +10,7 @@
  "folders": { },
  "attributes": {
  "Description": [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Description", "wlst_path": "WP001", "value": {"default": "None" }, "wlst_type": "string", "get_method": "NONE" } ],
+ "GroupMemberOf": [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "GroupMemberOf", "wlst_path": "WP001", "value": {"default": "None" }, "wlst_type": "delimited_string", "get_method": "NONE" } ],
  "Name": [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Name", "wlst_path": "WP001", "value": {"default": "None" }, "wlst_type": "string", "get_method": "NONE" } ]
  },
  "wlst_attributes_path": "WP001",

core/src/main/resources/oracle/weblogic/deploy/messages/wlsdeploy_rb.properties

@@ -385,6 +385,8 @@ WLSDPLY-01805=Unexpected {0} during role mapper processing: {1}
 WLSDPLY-01790=Creating default credential mapper initialization file {0}
 WLSDPLY-01791=Attribute "{0}" is required for {1} credential mapping {2}
 
+# wlsdeploy/tool/util/default_authenticator_helper.py
+WLSDPLY-01900=Append to default authenticator initialization file {0}
 ###############################################################################
 # Encrypt Messages (04000 - 04999) #
 ###############################################################################

core/src/main/resources/oracle/weblogic/deploy/security/DefaultAuthenticatorInit.ldift

@@ -0,0 +1,30 @@
+{{#group}}
+
+dn: cn={{{name}}},ou=groups,ou=@realm@,dc=@domain@
+memberURL: ldap:///ou=people,ou=@realm@,dc=@domain@??sub?(&(objectclass=person)(wlsMemberOf=cn={{{name}}},ou=groups,ou=@realm@,dc=@domain@))
+description: {{{description}}}
+objectclass: top
+objectclass: groupOfURLs
+objectclass: groupOfUniqueNames
+cn: {{{name}}}
+{{#groups}}
+uniquemember: cn={{{groupMemberOf}}},ou=groups,ou=@realm@,dc=@domain@
+{{/groups}}
+{{/group}}
+{{#user}}
+
+dn: uid={{{name}}},ou=people,ou=@realm@,dc=@domain@
+description: {{{description}}}
+objectclass: inetOrgPerson
+objectclass: organizationalPerson
+objectclass: person
+objectclass: top
+cn: {{{name}}}
+sn: {{{name}}}
+userpassword: {{{password}}}
+uid: {{{name}}}
+objectclass: wlsUser
+{{#groups}}
+wlsMemberOf: cn={{{groupMemberOf}}},ou=groups,ou=@realm@,dc=@domain@
+{{/groups}}
+{{/user}}