// Copyright 2019 Yunion // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package models import ( "context" "yunion.io/x/jsonutils" "yunion.io/x/log" "yunion.io/x/pkg/errors" "yunion.io/x/sqlchemy" "yunion.io/x/onecloud/pkg/apis" api "yunion.io/x/onecloud/pkg/apis/cloudid" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" "yunion.io/x/onecloud/pkg/cloudcommon/validators" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/util/stringutils2" ) type SSamluserManager struct { db.SStatusDomainLevelUserResourceBaseManager SCloudgroupResourceBaseManager } var SamluserManager *SSamluserManager func init() { SamluserManager = &SSamluserManager{ SStatusDomainLevelUserResourceBaseManager: db.NewStatusDomainLevelUserResourceBaseManager( SSamluser{}, "samlusers_tbl", "samluser", "samlusers", ), } SamluserManager.SetVirtualObject(SamluserManager) } type SSamluser struct { db.SStatusDomainLevelUserResourceBase SCloudgroupResourceBase // 邮箱地址 Email string `width:"36" charset:"ascii" nullable:"true" list:"user" create:"domain_optional"` CloudroleId string `width:"36" charset:"ascii" nullable:"false" list:"user"` } func (manager *SSamluserManager) GetResourceCount() ([]db.SScopeResourceCount, error) { q := manager.Query() domainCnt, err := db.CalculateResourceCount(q, "domain_id") if err != nil { return nil, errors.Wrap(err, "CalculateResourceCount.domain_id") } q = manager.Query() userCnt, err := db.CalculateResourceCount(q, "owner_id") if err != nil { return nil, errors.Wrap(err, "CalculateResourceCount.owner_id") } return append(domainCnt, userCnt...), nil } func (manager *SSamluserManager) GetIVirtualModelManager() db.IVirtualModelManager { return manager.GetVirtualObject().(db.IVirtualModelManager) } func (manager *SSamluserManager) FetchUniqValues(ctx context.Context, data jsonutils.JSONObject) jsonutils.JSONObject { groupId, _ := data.GetString("cloudgroup_id") return jsonutils.Marshal(map[string]string{"cloudgroup_id": groupId}) } func (manager *SSamluserManager) FilterByUniqValues(q *sqlchemy.SQuery, values jsonutils.JSONObject) *sqlchemy.SQuery { groupId, _ := values.GetString("cloudgroup_id") if len(groupId) > 0 { q = q.Equals("cloudgroup_id", groupId) } return q } // SAML认证用户列表 func (manager *SSamluserManager) ListItemFilter(ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query api.SamluserListInput) (*sqlchemy.SQuery, error) { var err error q, err = manager.SStatusDomainLevelUserResourceBaseManager.ListItemFilter(ctx, q, userCred, query.StatusDomainLevelUserResourceListInput) if err != nil { return nil, err } q, err = manager.SCloudgroupResourceBaseManager.ListItemFilter(ctx, q, userCred, query.CloudgroupResourceListInput) if err != nil { return nil, err } if len(query.CloudaccountId) > 0 { _, err := validators.ValidateModel(ctx, userCred, CloudaccountManager, &query.CloudaccountId) if err != nil { return nil, err } sq := CloudgroupManager.Query("id").Equals("cloudaccount_id", query.CloudaccountId) q = q.In("cloudgroup_id", sq.SubQuery()) } return q, nil } func (manager *SSamluserManager) QueryDistinctExtraField(q *sqlchemy.SQuery, field string) (*sqlchemy.SQuery, error) { var err error q, err = manager.SStatusDomainLevelUserResourceBaseManager.QueryDistinctExtraField(q, field) if err == nil { return q, nil } switch field { case "manager": managerQuery := CloudproviderManager.Query("name", "id").SubQuery() groupQuery := CloudgroupManager.Query("id").SubQuery() q.AppendField(managerQuery.Field("name", field)).Distinct() q = q.Join(groupQuery, sqlchemy.Equals(q.Field("cloudgroup_id"), groupQuery.Field("id"))) q = q.Join(managerQuery, sqlchemy.Equals(groupQuery.Field("manager_id"), managerQuery.Field("id"))) return q, nil case "account": accountQuery := CloudaccountManager.Query("name", "id").SubQuery() providers := CloudproviderManager.Query("id", "cloudaccount_id").SubQuery() groupQuery := CloudgroupManager.Query("id").SubQuery() q.AppendField(accountQuery.Field("name", field)).Distinct() q = q.Join(groupQuery, sqlchemy.Equals(q.Field("cloudgroup_id"), groupQuery.Field("id"))) q = q.Join(providers, sqlchemy.Equals(groupQuery.Field("manager_id"), providers.Field("id"))) q = q.Join(accountQuery, sqlchemy.Equals(providers.Field("cloudaccount_id"), accountQuery.Field("id"))) return q, nil case "provider", "brand": accountQuery := CloudaccountManager.Query(field, "id").Distinct().SubQuery() providers := CloudproviderManager.Query("id", "cloudaccount_id").SubQuery() groupQuery := CloudgroupManager.Query("id").SubQuery() q.AppendField(accountQuery.Field(field)).Distinct() q = q.Join(groupQuery, sqlchemy.Equals(q.Field("cloudgroup_id"), groupQuery.Field("id"))) q = q.Join(providers, sqlchemy.Equals(groupQuery.Field("manager_id"), providers.Field("id"))) q = q.Join(accountQuery, sqlchemy.Equals(providers.Field("cloudaccount_id"), accountQuery.Field("id"))) return q, nil } return q, httperrors.ErrNotFound } // 创建SAML认证用户 func (manager *SSamluserManager) ValidateCreateData( ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, input *api.SamluserCreateInput, ) (*api.SamluserCreateInput, error) { if len(input.OwnerId) > 0 { user, err := db.UserCacheManager.FetchUserById(ctx, input.OwnerId) if err != nil { return input, errors.Wrapf(err, "FetchUserById") } input.OwnerId = user.Id if len(input.Name) == 0 { input.Name = user.Name } } else { input.OwnerId = userCred.GetUserId() if len(input.Name) == 0 { input.Name = userCred.GetUserName() } } groupObj, err := validators.ValidateModel(ctx, userCred, CloudgroupManager, &input.CloudgroupId) if err != nil { return input, err } group := groupObj.(*SCloudgroup) sq := CloudgroupManager.Query("id").Equals("cloudaccount_id", group.CloudaccountId) if len(group.ManagerId) > 0 { sq = sq.Equals("manager_id", group.ManagerId) } cnt, err := manager.Query().Equals("owner_id", input.OwnerId).In("cloudgroup_id", sq.SubQuery()).CountWithError() if err != nil { return nil, err } if cnt > 0 { return input, httperrors.NewConflictError("user %s has already in group %s account", input.Name, group.Name) } input.Status = apis.STATUS_CREATING return input, nil } func (self *SSamluser) PostCreate(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data jsonutils.JSONObject) { self.StartCreateTask(ctx, userCred, "") } func (self *SSamluser) StartCreateTask(ctx context.Context, userCred mcclient.TokenCredential, parentTaskId string) error { params := jsonutils.NewDict() task, err := taskman.TaskManager.NewTask(ctx, "SamlUserCreateTask", self, userCred, params, parentTaskId, "", nil) if err != nil { return errors.Wrapf(err, "NewTask") } return task.ScheduleRun(nil) } func (manager *SSamluserManager) FetchCustomizeColumns( ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, objs []interface{}, fields stringutils2.SSortedStrings, isList bool, ) []api.SamluserDetails { rows := make([]api.SamluserDetails, len(objs)) userRows := manager.SStatusDomainLevelUserResourceBaseManager.FetchCustomizeColumns(ctx, userCred, query, objs, fields, isList) groupRows := manager.SCloudgroupResourceBaseManager.FetchCustomizeColumns(ctx, userCred, query, objs, fields, isList) groupIds := make([]string, len(objs)) for i := range rows { rows[i] = api.SamluserDetails{ StatusDomainLevelUserResourceDetails: userRows[i], CloudgroupResourceDetails: groupRows[i], } user := objs[i].(*SSamluser) groupIds[i] = user.CloudgroupId } groups := make(map[string]SCloudgroup) err := db.FetchStandaloneObjectsByIds(CloudgroupManager, groupIds, &groups) if err != nil { log.Errorf("FetchStandaloneObjectsByIds fail %s", err) return rows } managerIds := make([]string, len(objs)) accountIds := make([]string, len(objs)) for i := range rows { if group, ok := groups[groupIds[i]]; ok { rows[i].CloudaccountId = group.CloudaccountId rows[i].ManagerId = group.ManagerId managerIds[i] = group.ManagerId accountIds[i] = group.CloudaccountId } } accounts := make(map[string]SCloudaccount) err = db.FetchStandaloneObjectsByIds(CloudaccountManager, accountIds, &accounts) if err != nil { log.Errorf("FetchStandaloneObjectsByIds for accounts fail %s", err) return nil } managers := make(map[string]SCloudprovider) err = db.FetchStandaloneObjectsByIds(CloudproviderManager, managerIds, &managers) if err != nil { log.Errorf("FetchStandaloneObjectsByIds for accounts fail %s", err) return nil } for i := range rows { if account, ok := accounts[rows[i].CloudaccountId]; ok { rows[i].Cloudaccount = account.Name rows[i].Provider = account.Provider rows[i].Brand = account.Brand } if provider, ok := managers[rows[i].ManagerId]; ok { rows[i].Manager = provider.Name } } return rows }