Merge pull request #148 from lionick/ldap_provision_cert

Provision certificates from Org Identities
rciam · Nov 24, 2021 · 50ddc81 · 50ddc81
2 parents 60b53f7 + e2aa4c3
commit 50ddc81
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
+## Unreleased
+
+### Fixed
+
+- Provision certificates from OrgIdentity (LDAP Provisioner)
+
 ## [3.3.7-rciam] - 2021-11-16
 
 ### Fixed

diff --git a/app/Model/Behavior/ProvisionerBehavior.php b/app/Model/Behavior/ProvisionerBehavior.php
@@ -916,7 +916,7 @@ private function marshallCoPersonData($coPersonModel, $coPersonId) {
       'CoGroupMember' => array('CoGroup' => array('EmailListAdmin', 'EmailListMember', 'EmailListModerator')),
       // 'CoGroup'
       // 'CoGroupMember.CoGroup',
-      'CoOrgIdentityLink' => array('OrgIdentity' => array('Identifier')),
+      'CoOrgIdentityLink' => array('OrgIdentity' => array('Identifier', 'Cert')),
       //'CoOrgIdentityLink',
       // We normally don't pull org identity data, but we'll make an exception
       // for Identifier to be able to expose eppn

diff --git a/app/Model/Cert.php b/app/Model/Cert.php
@@ -491,4 +491,40 @@ public function beforeSave($options = array())
     return true;
   }
 
+  /**
+   * afterSave
+   *
+   * @param  boolean true if a new record was created (rather than update)
+   * @param  array, the same passed into Model::save()
+   * @return none
+   */
+  function afterSave($created, $options = Array()) {
+        $this->manualProvisionCert();
+  }
+
+  /**
+   * afterDelete
+   *
+   * @return none
+   */
+  function afterDelete() {
+    $this->manualProvisionCert();
+  }
+
+  /**
+   * manualProvisionCert
+   *
+   * @return none
+   */
+  function manualProvisionCert() {
+    $sAction = ProvisioningActionEnum::CoPersonUpdated;
+    $coPerson = $this->OrgIdentity->getLinkedPersonData($this->data['Cert']['org_identity_id']);
+    $sId = $coPerson[0]['CoOrgIdentityLink'][0]['co_person_id'];
+    // Since we do not copy the Certificates under the CoPerson we need to manually trigger CoPerson provisioning every time they become updated
+    if(!empty($sId)) {
+      $this->CoPerson->Behaviors->load('Provisioner');   
+      $this->CoPerson->manualProvision(null, $sId, null, $sAction);
+    }
+  }
+
 }
diff --git a/app/Plugin/LdapProvisioner/Model/CoLdapProvisionerTarget.php b/app/Plugin/LdapProvisioner/Model/CoLdapProvisionerTarget.php
@@ -709,20 +709,23 @@ protected function assembleAttributes($coProvisioningTargetData,
                 if(!$attropts) {
                   $attributes[$attr] = array();
                 }
-                if(!empty($provisioningData['Certificate'])) {
-                  foreach($provisioningData['Certificate'] as $cr) {
-                    $f = ($attr == 'voPersonCertificateDN' ? 'subject_dn' : 'issuer_dn');
-
-                    if($attropts) {
-                      $lrattr = $lattr . ";scope-" . $cr['id'];
-
-                      $attributes[$lrattr][] = $cr[$f];
-                    } else {
-                      $attributes[$attr][] = $cr[$f];
+                if(!empty($provisioningData['CoOrgIdentityLink'])) {
+                  foreach($provisioningData['CoOrgIdentityLink'] as $orgId) {
+                    foreach($orgId['OrgIdentity']['Cert'] as $cert) {
+                      $f = ($attr == 'voPersonCertificateDN' ? 'subject' : 'issuer');
+                      if(!empty($cert[$f])) {
+                        $cert[$f] = $this->opensslToRfc2253(trim($cert[$f]));
+                        if($attropts) {
+                            $lrattr = $lattr . ";scope-" . $cert['id'];
+                            $attributes[$lrattr][] = $cert[$f];
+                        } else {
+                            $attributes[$attr][] = $cert[$f];
+                        }
+                      }
                     }
                   }
                 }
-                
+
                 if(!$attropts && empty($attributes[$attr]) && !$modify) {
                   // This is the same as the approach using $found, but without an extra variable
                   unset($attributes[$attr]);
@@ -1470,6 +1473,9 @@ public function provision($coProvisioningTargetData, $op, $provisioningData) {
                             : ProvisioningActionEnum::CoGroupAdded),
                            $provisioningData);
         } else {
+          if(!empty($attributes)) {
+            $this->log(get_class($this) . "::{" . var_export($attributes, true) . "}::@", LOG_ERROR);
+          }
           throw new RuntimeException(ldap_error($cxn), ldap_errno($cxn));
         }
       }
@@ -2038,4 +2044,40 @@ public function verifyLdapServer($serverUrl, $bindDn, $password, $baseDn, $group
 
     return true;
   }
+
+  /**
+   * opensslToRfc2253
+   *
+   * @param string $inputDN
+   * @param boolean $withWildCards
+   * @return string
+   */
+
+  public static function opensslToRfc2253($inputDN, $withWildCards = false) {
+    if(!empty($inputDN) && substr($inputDN, 0, 1) != "/") {
+      // we assume is already rfc2253
+      return $inputDN;
+    }
+    $inputDN = str_replace(',', '\\,', $inputDN);
+    $parts = explode('/', $inputDN);
+    $avas = array();
+    array_push($avas, $parts[1]);
+    if(count($parts) < 2) {
+      return substr($inputDN, 1);
+    }
+    for($i = 2, $j = 0, $len = count($parts); $i < $len; $i++) {
+      if(!(strpos($parts[$i], '=') != false || ($withWildCards && strpos($parts[$i], '*') != false))) {
+        $cur = $avas[$j];
+        $avas[++$j] = $cur . '/' . $parts[$i];
+      } else {
+        array_push($avas, $parts[$i]);
+      }
+    }
+    $buf = '';
+    for($i = count($avas) - 1; $i > 0; $i--) {
+      $buf .= $avas[$i] . ',';
+    }
+    $buf .= $avas[0];
+    return $buf;
+  }
 }