Group and User updates to work around offline issues (#904)

Author: CarolynRountree

core/src/main/python/wlsdeploy/aliases/model_constants.py

@@ -95,6 +95,7 @@
 DEFAULT_WLS_DOMAIN_NAME = 'base_domain'
 DELIVERY_FAILURE_PARAMS = 'DeliveryFailureParams'
 DELIVERY_PARAMS_OVERRIDES = 'DeliveryParamsOverrides'
+DESCRIPTION = 'Description'
 DESTINATION_KEY = 'DestinationKey'
 DIRECTORY = 'Directory'
 DISTRIBUTED_QUEUE = 'DistributedQueue'
@@ -127,6 +128,7 @@
 FOREIGN_SERVER = 'ForeignServer'
 GROUP = 'Group'
 GROUP_PARAMS = 'GroupParams'
+GROUP_MEMBER_OF = 'GroupMemberOf'
 GLOBAL_VARIABLE_SUBSTITUTION = 'VariableSubstitution'
 HARVESTED_TYPE = 'HarvestedType'
 HARVESTER = 'Harvester'
@@ -315,6 +317,7 @@
 WLDF_SYSTEM_RESOURCE = "WLDFSystemResource"
 WLS_ROLES = "WLSRoles"
 WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS = 'WLSUserPasswordCredentialMappings'
+WLS_DEFAULT_AUTHENTICATION = 'WLSDefaultAuthentication'
 WS_RELIABLE_DELIVERY_POLICY = 'WSReliableDeliveryPolicy'
 WTC_SERVER = 'WTCServer'
 XACML_AUTHORIZER = 'XACMLAuthorizer'

core/src/main/python/wlsdeploy/tool/create/domain_creator.py

@@ -69,6 +69,7 @@
 from wlsdeploy.aliases.model_constants import USER
 from wlsdeploy.aliases.model_constants import VIRTUAL_TARGET
 from wlsdeploy.aliases.model_constants import WLS_USER_PASSWORD_CREDENTIAL_MAPPINGS
+from wlsdeploy.aliases.model_constants import WLS_DEFAULT_AUTHENTICATION
 from wlsdeploy.aliases.model_constants import WS_RELIABLE_DELIVERY_POLICY
 from wlsdeploy.aliases.model_constants import XML_ENTITY_CACHE
 from wlsdeploy.aliases.model_constants import XML_REGISTRY
@@ -83,6 +84,7 @@
 from wlsdeploy.tool.deploy import model_deployer
 from wlsdeploy.tool.util.archive_helper import ArchiveHelper
 from wlsdeploy.tool.util.credential_map_helper import CredentialMapHelper
+from wlsdeploy.tool.util.default_authenticator_helper import DefaultAuthenticatorHelper
 from wlsdeploy.tool.util.library_helper import LibraryHelper
 from wlsdeploy.tool.util.rcu_helper import RCUHelper
 from wlsdeploy.tool.util.target_helper import TargetHelper
@@ -544,8 +546,6 @@ def __extend_domain_with_select_template(self, domain_home):
             self.__configure_fmw_infra_database()
             self.__configure_opss_secrets()
         topology_folder_list = self.aliases.get_model_topology_top_level_folder_names()
-
-        self.__create_security_folder()
         topology_folder_list.remove(SECURITY)
 
         resources_dict = self.model.get_model_resources()
@@ -577,6 +577,10 @@ def __extend_domain_with_select_template(self, domain_home):
         self.logger.info('WLSDPLY-12206', self._domain_name, domain_home,
                          class_name=self.__class_name, method_name=_method_name)
         self.wlst_helper.read_domain(domain_home)
+
+        print '******* create security folder'
+        self.__create_security_folder()
+
         self.logger.exiting(class_name=self.__class_name, method_name=_method_name)
         return
 
@@ -688,20 +692,17 @@ def __create_mbeans_used_by_topology_mbeans(self, topology_folder_list):
 
     def __create_security_folder(self):
         """
-        Create the /Security folder objects, if any.
+        Create the the security objects if any. The security information
+        from the model will be writting to the DefaultAuthenticatorInit.ldift file
         :raises: CreateException: if an error occurs
         """
         _method_name = '__create_security_folder'
-
-        location = LocationContext()
-        domain_name_token = self.aliases.get_name_token(location)
-        location.add_name_token(domain_name_token, self._domain_name)
-        self.logger.entering(str(location), class_name=self.__class_name, method_name=_method_name)
-        security_nodes = dictionary_utils.get_dictionary_element(self._topology, SECURITY)
-        if len(security_nodes) > 0:
-            self._create_mbean(SECURITY, security_nodes, location)
+        self.logger.entering(class_name=self.__class_name, method_name=_method_name)
+        security_folder = dictionary_utils.get_dictionary_element(self._topology, SECURITY)
+        if security_folder is not None:
+            helper = DefaultAuthenticatorHelper(self.model_context, ExceptionType.CREATE)
+            helper.create_default_init_file(security_folder)
         self.logger.exiting(class_name=self.__class_name, method_name=_method_name)
-        return
 
     def __create_log_filters(self, location):
         """

core/src/main/python/wlsdeploy/tool/util/default_authenticator_helper.py

@@ -0,0 +1,173 @@
+"""
+Copyright (c) 2021, Oracle Corporation and/or its affiliates.
+Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
+"""
+import com.bea.common.security.utils.encoders.BASE64Encoder as BASE64Encoder
+import com.bea.security.xacml.cache.resource.ResourcePolicyIdUtil as ResourcePolicyIdUtil
+from java.io import File
+from java.lang import String
+
+import oracle.weblogic.deploy.aliases.TypeUtils as TypeUtils
+
+from wlsdeploy.aliases.model_constants import DESCRIPTION
+from wlsdeploy.aliases.model_constants import GROUP
+from wlsdeploy.aliases.model_constants import GROUP_MEMBER_OF
+from wlsdeploy.aliases.model_constants import PASSWORD
+from wlsdeploy.aliases.model_constants import USER
+from wlsdeploy.exception import exception_helper
+from wlsdeploy.logging.platform_logger import PlatformLogger
+from wlsdeploy.tool.util.targets import file_template_helper
+from wlsdeploy.util import dictionary_utils
+from wlsdeploy.util.weblogic_helper import WebLogicHelper
+
+TEMPLATE_PATH = 'oracle/weblogic/deploy/security'
+DEFAULT_AUTH_INIT_FILE = 'DefaultAuthenticatorInit.ldift'
+SECURITY_SUBDIR = 'security'
+GROUP_MAPPINGS = 'group'
+USER_MAPPINGS = 'user'
+
+# template hash constants
+HASH_NAME = 'name'
+HASH_DESCRIPTION = 'description'
+HASH_GROUPS = 'groups'
+HASH_GROUP = 'groupMemberOf'
+HASH_USER_PASSWORD = 'password'
+
+
+class DefaultAuthenticatorHelper(object):
+    """
+    This class is used to write the Security Group and User data into the ldift file. The reason is
+    that there are several issues that are broken in offline, while they work in online. This works
+    around these problems.
+    """
+    _class_name = 'DefaultAuthenticatorHelper'
+
+    def __init__(self, model_context, exception_type):
+        self._model_context = model_context
+        self._exception_type = exception_type
+        self._logger = PlatformLogger('wlsdeploy.tool.util')
+        self._weblogic_helper = WebLogicHelper(self._logger)
+        self._resource_escaper = ResourcePolicyIdUtil.getEscaper()
+        self._b64_encoder = BASE64Encoder()
+
+    def create_default_init_file(self, security_mapping_nodes):
+        """
+        Use the security information to write user/groups to the DefaultAuthenticatorInit.ldift file.
+        This file must exist before writing the data. Build a hash map from the model data and
+        append to the file using the template file for structure.
+        :param security_mapping_nodes: the Security elements from the model
+        """
+        _method_name = 'create_default_init_file'
+
+        template_hash = self._build_default_template_hash(security_mapping_nodes)
+        template_path = TEMPLATE_PATH + '/' + DEFAULT_AUTH_INIT_FILE
+
+        output_dir = File(self._model_context.get_domain_home(), SECURITY_SUBDIR)
+        output_file = File(output_dir, DEFAULT_AUTH_INIT_FILE)
+
+        self._logger.info('WLSDPLY-01900', output_file, class_name=self._class_name, method_name=_method_name)
+
+        file_template_helper.append_file_from_resource(template_path, template_hash, output_file, self._exception_type)
+
+    def _build_default_template_hash(self, mapping_section_nodes):
+        """
+        Create a dictionary of substitution values to apply to the default authenticator template.
+        :param mapping_section_nodes: the security elements from the model
+        :return: the template hash dictionary
+        """
+        template_hash = dict()
+
+        group_mappings = []
+        user_mappings = []
+
+        if GROUP in mapping_section_nodes.keys():
+            group_mapping_nodes = mapping_section_nodes[GROUP]
+            for name in group_mapping_nodes:
+                mapping_hash = self._build_group_mapping_hash(group_mapping_nodes[name], name)
+                group_mappings.append(mapping_hash)
+        if USER in mapping_section_nodes.keys():
+            user_mapping_nodes = mapping_section_nodes[USER]
+            for name in user_mapping_nodes:
+                mapping_hash = self._build_user_mapping_hash(user_mapping_nodes[name], name)
+                user_mappings.append(mapping_hash)
+
+        template_hash[GROUP_MAPPINGS] = group_mappings
+        template_hash[USER_MAPPINGS] = user_mappings
+        print '****** template hash ', template_hash
+        return template_hash
+
+    def _build_group_mapping_hash(self, group_mapping_section, name):
+        """
+        Build a template hash for the specified mapping element from the model.
+        :param group_mapping_section: the security group entry from the model
+        :param name: The name of the group
+        :return: the template hash
+        """
+        hash_entry = dict()
+        hash_entry[HASH_NAME] = name
+        group_attributes = group_mapping_section
+        description = dictionary_utils.get_element(group_attributes, DESCRIPTION)
+        hash_entry[HASH_DESCRIPTION] = description
+        groups = dictionary_utils.get_element(group_attributes, GROUP_MEMBER_OF)
+        group_list = []
+        group_mappings = list()
+        if groups is not None:
+            group_list = TypeUtils.convertToType('list', groups)
+            for group in group_list:
+                group_mappings.append({HASH_GROUP: group})
+            hash_entry[HASH_GROUPS] = group_mappings
+        else:
+            hash_entry[HASH_GROUPS] = group_list
+
+        return hash_entry
+
+    def _build_user_mapping_hash(self, user_mapping_section, name):
+        """
+        Build a template hash map from the security user data from the model.
+        This includes encoding the required password.
+        :param user_mapping_section: The security user section from the model
+        :param name: name of the user for the user section
+        :return: template hash map
+        """
+        hash_entry = dict()
+        hash_entry[HASH_NAME] = name
+        group_attributes = user_mapping_section
+        description = dictionary_utils.get_element(group_attributes, DESCRIPTION)
+        hash_entry[HASH_DESCRIPTION] = description
+        groups = dictionary_utils.get_element(group_attributes, GROUP_MEMBER_OF)
+        password = self._get_required_attribute(user_mapping_section, PASSWORD, USER, name)
+        encrypted = self._weblogic_helper.encrypt(password, self._model_context.get_domain_home())
+        password_encoded = self._b64_encoder.encodeBuffer(String(encrypted).getBytes("UTF-8"))
+        hash_entry[HASH_USER_PASSWORD] = password_encoded
+        group_list = []
+        group_mappings = list()
+        if groups is not None:
+            group_list = TypeUtils.convertToType('list', groups)
+            for group in group_list:
+                group_mappings.append({HASH_GROUP: group})
+            hash_entry[HASH_GROUPS] = group_mappings
+        else:
+            hash_entry[HASH_GROUPS] = group_list
+
+        return hash_entry
+
+    def _get_required_attribute(self, dictionary, name, mapping_type, mapping_name):
+        """
+        Return the value of the specified attribute from the specified dictionary.
+        Log and throw an exception if the attribute is not found.
+        :param dictionary: the dictionary to be checked
+        :param name: the name of the attribute to find
+        :param mapping_type: the type of the mapping, such as 'CrossDomain'
+        :param mapping_name: the mapping name from the model, such as 'map1'
+        :return: the value of the attribute
+        :raises: Tool type exception: if an the attribute is not found
+        """
+        _method_name = '_get_required_attribute'
+
+        result = dictionary_utils.get_element(dictionary, name)
+        if result is None:
+            pwe = exception_helper.create_exception(self._exception_type, '-01791', name, mapping_type,
+                                                    mapping_name)
+            self._logger.throwing(class_name=self._class_name, method_name=_method_name, error=pwe)
+            raise pwe
+        return result

core/src/main/python/wlsdeploy/tool/util/targets/file_template_helper.py

@@ -44,6 +44,26 @@ def create_file_from_resource(resource_path, template_hash, output_file, excepti
     _create_file_from_stream(template_stream, template_hash, output_file)
 
 
+def append_file_from_resource(resource_path, template_hash, output_file, exception_type):
+    """
+    Read the template from the resource stream, perform any substitutions,
+    and write it to the output file.
+    :param resource_path: the resource path of the source template
+    :param template_hash: a dictionary of substitution values
+    :param output_file: the file to write
+    :param exception_type: the type of exception to throw if needed
+    """
+    _method_name = 'append_file_from_resource'
+
+    template_stream = FileUtils.getResourceAsStream(resource_path)
+    if template_stream is None:
+        ex = exception_helper.create_exception(exception_type, 'WLSDPLY-01661', resource_path)
+        __logger.throwing(ex, class_name=__class_name, method_name=_method_name)
+        raise ex
+    FileUtils.validateExistingFile(output_file)
+    _create_file_from_stream(template_stream, template_hash, output_file, 'a')
+
+
 def create_file_from_file(file_path, template_hash, output_file, exception_type):
     """
     Read the template from the template file, perform any substitutions,
@@ -65,9 +85,9 @@ def create_file_from_file(file_path, template_hash, output_file, exception_type)
         raise ex
 
 
-def _create_file_from_stream(template_stream, template_hash, output_file):
+def _create_file_from_stream(template_stream, template_hash, output_file, write_access='w'):
     template_reader = BufferedReader(InputStreamReader(template_stream))
-    file_writer = open(output_file.getPath(), "w")
+    file_writer = open(output_file.getPath(), write_access)
 
     block_key = None
     block_lines = []

core/src/main/resources/oracle/weblogic/deploy/aliases/category_modules/Security.json

@@ -10,6 +10,7 @@
             "folders": { },
             "attributes": {
                 "Description": [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Description", "wlst_path": "WP001", "value": {"default": "None" }, "wlst_type": "string",   "get_method": "NONE" } ],
+                "GroupMemberOf":  [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "GroupMemberOf",  "wlst_path": "WP001", "value": {"default": "None" }, "wlst_type": "delimited_string", "get_method": "NONE" } ],
                 "Name":        [ {"version": "[10,)", "wlst_mode": "offline", "wlst_name": "Name",        "wlst_path": "WP001", "value": {"default": "None" }, "wlst_type": "string",   "get_method": "NONE" } ]
             },
             "wlst_attributes_path": "WP001",

core/src/main/resources/oracle/weblogic/deploy/messages/wlsdeploy_rb.properties

@@ -385,6 +385,8 @@ WLSDPLY-01805=Unexpected {0} during role mapper processing: {1}
 WLSDPLY-01790=Creating default credential mapper initialization file {0}
 WLSDPLY-01791=Attribute "{0}" is required for {1} credential mapping {2}
 
+# wlsdeploy/tool/util/default_authenticator_helper.py
+WLSDPLY-01900=Append to default authenticator initialization file {0}
 ###############################################################################
 #                    Encrypt Messages (04000 - 04999)                         #
 ###############################################################################

core/src/main/resources/oracle/weblogic/deploy/security/DefaultAuthenticatorInit.ldift

@@ -0,0 +1,30 @@
+{{#group}}
+
+dn: cn={{{name}}},ou=groups,ou=@realm@,dc=@domain@
+memberURL: ldap:///ou=people,ou=@realm@,dc=@domain@??sub?(&(objectclass=person)(wlsMemberOf=cn={{{name}}},ou=groups,ou=@realm@,dc=@domain@))
+description: {{{description}}}
+objectclass: top
+objectclass: groupOfURLs
+objectclass: groupOfUniqueNames
+cn: {{{name}}}
+{{#groups}}
+uniquemember: cn={{{groupMemberOf}}},ou=groups,ou=@realm@,dc=@domain@
+{{/groups}}
+{{/group}}
+{{#user}}
+
+dn: uid={{{name}}},ou=people,ou=@realm@,dc=@domain@
+description: {{{description}}}
+objectclass: inetOrgPerson
+objectclass: organizationalPerson
+objectclass: person
+objectclass: top
+cn: {{{name}}}
+sn: {{{name}}}
+userpassword: {{{password}}}
+uid: {{{name}}}
+objectclass: wlsUser
+{{#groups}}
+wlsMemberOf: cn={{{groupMemberOf}}},ou=groups,ou=@realm@,dc=@domain@
+{{/groups}}
+{{/user}}