<fix>[sso]: support sso server

Resolves: ZSTAC-66623 Change-Id: I6467666238676e6d666175747477786a71677963 (cherry picked from commit 4cad010) <fix>[sns]: add support for reporting changes in license addons Resolves: ZSTAC-67100 Change-Id: I716c767578626b6e756361696b6e671007717a6f (cherry picked from commit c86b6e7) <feature>[externalservice]: marketplace Resolves: ZHCI-2514 Change-Id: I6773796b76736d6b64777a786c787a787a637371 (cherry picked from commit 4b82f3f) (cherry picked from commit 14d27cc)
zstackio · Aug 28, 2024 · 037686f · 037686f
1 parent eece50a
commit 037686f
Show file tree

Hide file tree

Showing 17 changed files with 281 additions and 10 deletions.
diff --git a/compute/src/main/java/org/zstack/compute/vm/VmSystemTags.java b/compute/src/main/java/org/zstack/compute/vm/VmSystemTags.java
@@ -234,6 +234,12 @@ public class VmSystemTags {
     public static final String XML_HOOK_TOKEN = "xmlHook";
     public static PatternedSystemTag XML_HOOK = new PatternedSystemTag(String.format("xmlHook::{%s}", XML_HOOK_TOKEN), VmInstanceVO.class);
 
+    public static final String MARKET_PLACE_TOKEN = "marketplace::true";
+
+    public static PatternedSystemTag CREATED_BY_MARKETPLACE = new PatternedSystemTag(
+            MARKET_PLACE_TOKEN, VmInstanceVO.class
+    );
+
     public static class UserdataTagOutputHandler implements SensitiveTagOutputHandler {
         private final String chpasswd = "chpasswd";
         private final String list = "list";

diff --git a/conf/db/upgrade/V5.2.0__schema.sql b/conf/db/upgrade/V5.2.0__schema.sql
@@ -26,6 +26,16 @@ CREATE TABLE IF NOT EXISTS `zstack`.`XmlHookVmInstanceRefVO` (
     CONSTRAINT `fkXmlHookVmInstanceRefVO1` FOREIGN KEY (`vmInstanceUuid`) REFERENCES `ResourceVO` (`uuid`) ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
+CREATE TABLE IF NOT EXISTS `zstack`.`SSOServerTokenVO`(
+    `uuid` varchar(32) not null unique,
+    `accessToken` text DEFAULT NULL,
+    `idToken` text DEFAULT NULL,
+    `refreshToken` text DEFAULT NULL,
+    `userUuid` varchar(32) DEFAULT NULL,
+    `lastOpDate` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' ON UPDATE CURRENT_TIMESTAMP,
+    `createDate` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
+    PRIMARY KEY  (`uuid`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 DROP PROCEDURE IF EXISTS migrateJsonLabelToXmlHookVO;
 DELIMITER $$

diff --git a/core/src/main/java/org/zstack/core/externalservice/AbstractLocalExternalSystemdService.java b/core/src/main/java/org/zstack/core/externalservice/AbstractLocalExternalSystemdService.java
@@ -0,0 +1,17 @@
+package org.zstack.core.externalservice;
+
+import org.zstack.utils.Bash;
+
+public abstract class AbstractLocalExternalSystemdService extends AbstractLocalExternalService{
+    abstract public String getSystemdServiceName();
+
+    public void sysctl(String ctl) {
+        new Bash() {
+            @Override
+            protected void scripts() {
+                setE();
+                run("systemctl %s %s", ctl, getSystemdServiceName());
+            }
+        }.execute();
+    }
+}
diff --git a/header/src/main/java/org/zstack/header/identity/AccountConstant.java b/header/src/main/java/org/zstack/header/identity/AccountConstant.java
@@ -37,6 +37,14 @@ public interface AccountConstant {
     // login property accountType
     String ACCOUNT_TYPE = "accountType";
 
+    String PREFERRED_USERNAME = "preferred_username";
+    String FULL_NAME = "fullname";
+    String LOGIN_TYPE_NAME = "loginType";
+    String GROUPS_NAME = "groups";
+    String PROJECTS_NAME = "projects";
+
+
+
     static boolean isAdminPermission(SessionInventory session) {
         return isAdminPermission(session.getAccountUuid());
     }

diff --git a/header/src/main/java/org/zstack/header/identity/login/LoginAuthConstant.java b/header/src/main/java/org/zstack/header/identity/login/LoginAuthConstant.java
@@ -7,6 +7,9 @@ public interface LoginAuthConstant {
     String twoFactorAuth = "TWO_FACTOR_AUTH";
     AdditionalAuthFeature twoFactor = new AdditionalAuthFeature(twoFactorAuth);
 
+    String ssoServerLoginControlAuth = "SSO_SERVER_LOGIN_CONTROL_AUTH";
+    AdditionalAuthFeature ssoServerLoginControl = new AdditionalAuthFeature(ssoServerLoginControlAuth);
+
     String LOGIN_SESSION_INVENTORY = "LOGIN_SESSION_INVENTORY";
     String LOGIN_SESSION_INFO = "LOGIN_SESSION_INFO";
 }
diff --git a/header/src/main/java/org/zstack/header/identity/login/LoginBackend.java b/header/src/main/java/org/zstack/header/identity/login/LoginBackend.java
@@ -3,9 +3,7 @@
 import org.zstack.header.core.ReturnValueCompletion;
 import org.zstack.header.identity.LoginType;
 
-import java.util.Collections;
-import java.util.List;
-import java.util.Set;
+import java.util.*;
 
 /**
  * Login implementation interface.
@@ -30,4 +28,8 @@ public interface LoginBackend {
     default Set<String> possibleUserUuidSetForGettingProcedures(LoginContext loginContext) {
         return Collections.emptySet();
     }
+
+    default Map<String, Object> generateJwtTokenClaims(LoginContext loginContext, LoginSessionInfo info) {
+        return new HashMap<>();
+    }
 }
diff --git a/identity/src/main/java/org/zstack/identity/AccountLoginBackend.java b/identity/src/main/java/org/zstack/identity/AccountLoginBackend.java
@@ -9,10 +9,7 @@
 import org.zstack.utils.Utils;
 import org.zstack.utils.logging.CLogger;
 
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
+import java.util.*;
 
 import static org.zstack.core.Platform.err;
 
@@ -32,6 +29,15 @@ public LoginType getLoginType() {
         return loginType;
     }
 
+    @Override
+    public Map<String, Object> generateJwtTokenClaims(LoginContext loginContext, LoginSessionInfo info) {
+        Map<String, Object> claims = new HashMap<>();
+        claims.put(AccountConstant.LOGIN_TYPE_NAME, loginContext.getLoginBackendType());
+        claims.put(AccountConstant.FULL_NAME, loginContext.getUsername());
+        claims.put(AccountConstant.PREFERRED_USERNAME, loginContext.getUsername());
+        return claims;
+    }
+
     @Override
     public void login(LoginContext loginContext, ReturnValueCompletion<LoginSessionInfo> completion) {
         AccountVO vo = Q.New(AccountVO.class)

diff --git a/image/src/main/java/org/zstack/image/ImageSystemTags.java b/image/src/main/java/org/zstack/image/ImageSystemTags.java
@@ -53,4 +53,10 @@ public class ImageSystemTags {
 
     public static String IMAGE_ID ="imageId";
     public static PatternedSystemTag UPLOAD_IMAGE_INFO = new PatternedSystemTag(String.format("uploadImage::{%s}", IMAGE_ID), LongJobVO.class);
+
+    public static final String MARKET_PLACE_TOKEN = "marketplace::true";
+
+    public static PatternedSystemTag CREATED_BY_MARKETPLACE = new PatternedSystemTag(
+            MARKET_PLACE_TOKEN, ImageVO.class
+    );
 }
diff --git a/sdk/src/main/java/SourceClassMap.java b/sdk/src/main/java/SourceClassMap.java
@@ -583,6 +583,7 @@ public class SourceClassMap {
 			put("org.zstack.sso.header.RedirectUrlTemplate", "org.zstack.sdk.RedirectUrlTemplate");
 			put("org.zstack.sso.header.SSOClientInventory", "org.zstack.sdk.SSOClientInventory");
 			put("org.zstack.sso.header.SSORedirectTemplateInventory", "org.zstack.sdk.SSORedirectTemplateInventory");
+			put("org.zstack.sso.header.SSOServerTokenInventory", "org.zstack.sdk.SSOServerTokenInventory");
 			put("org.zstack.sso.header.SSOTokenInventory", "org.zstack.sdk.SSOTokenInventory");
 			put("org.zstack.storage.backup.imagestore.ImageStoreBackupStorageInventory", "org.zstack.sdk.ImageStoreBackupStorageInventory");
 			put("org.zstack.storage.backup.imagestore.ImageStoreGcResult", "org.zstack.sdk.ImageStoreGcResult");
@@ -1178,6 +1179,7 @@ public class SourceClassMap {
 			put("org.zstack.sdk.RunningTaskInfo", "org.zstack.header.core.progress.RunningTaskInfo");
 			put("org.zstack.sdk.SSOClientInventory", "org.zstack.sso.header.SSOClientInventory");
 			put("org.zstack.sdk.SSORedirectTemplateInventory", "org.zstack.sso.header.SSORedirectTemplateInventory");
+			put("org.zstack.sdk.SSOServerTokenInventory", "org.zstack.sso.header.SSOServerTokenInventory");
 			put("org.zstack.sdk.SSOTokenInventory", "org.zstack.sso.header.SSOTokenInventory");
 			put("org.zstack.sdk.SanSecSecretResourcePoolInventory", "org.zstack.crypto.securitymachine.thirdparty.sansec.SanSecSecretResourcePoolInventory");
 			put("org.zstack.sdk.SanSecSecurityMachineInventory", "org.zstack.crypto.securitymachine.thirdparty.sansec.SanSecSecurityMachineInventory");

diff --git a/sdk/src/main/java/org/zstack/sdk/GetOAuth2TokenResult.java b/sdk/src/main/java/org/zstack/sdk/GetOAuth2TokenResult.java
@@ -1,6 +1,7 @@
 package org.zstack.sdk;
 
 import org.zstack.sdk.OAuth2TokenInventory;
+import org.zstack.sdk.SSOServerTokenInventory;
 
 public class GetOAuth2TokenResult {
     public OAuth2TokenInventory inventory;
@@ -11,4 +12,12 @@ public OAuth2TokenInventory getInventory() {
         return this.inventory;
     }
 
+    public SSOServerTokenInventory serverTokenInventory;
+    public void setServerTokenInventory(SSOServerTokenInventory serverTokenInventory) {
+        this.serverTokenInventory = serverTokenInventory;
+    }
+    public SSOServerTokenInventory getServerTokenInventory() {
+        return this.serverTokenInventory;
+    }
+
 }
diff --git a/sdk/src/main/java/org/zstack/sdk/SSOServerTokenInventory.java b/sdk/src/main/java/org/zstack/sdk/SSOServerTokenInventory.java
@@ -0,0 +1,63 @@
+package org.zstack.sdk;
+
+
+
+public class SSOServerTokenInventory  {
+
+    public java.lang.String uuid;
+    public void setUuid(java.lang.String uuid) {
+        this.uuid = uuid;
+    }
+    public java.lang.String getUuid() {
+        return this.uuid;
+    }
+
+    public java.lang.String accessToken;
+    public void setAccessToken(java.lang.String accessToken) {
+        this.accessToken = accessToken;
+    }
+    public java.lang.String getAccessToken() {
+        return this.accessToken;
+    }
+
+    public java.lang.String idToken;
+    public void setIdToken(java.lang.String idToken) {
+        this.idToken = idToken;
+    }
+    public java.lang.String getIdToken() {
+        return this.idToken;
+    }
+
+    public java.lang.String refreshToken;
+    public void setRefreshToken(java.lang.String refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+    public java.lang.String getRefreshToken() {
+        return this.refreshToken;
+    }
+
+    public java.lang.String userUuid;
+    public void setUserUuid(java.lang.String userUuid) {
+        this.userUuid = userUuid;
+    }
+    public java.lang.String getUserUuid() {
+        return this.userUuid;
+    }
+
+    public java.sql.Timestamp createDate;
+    public void setCreateDate(java.sql.Timestamp createDate) {
+        this.createDate = createDate;
+    }
+    public java.sql.Timestamp getCreateDate() {
+        return this.createDate;
+    }
+
+    public java.sql.Timestamp lastOpDate;
+    public void setLastOpDate(java.sql.Timestamp lastOpDate) {
+        this.lastOpDate = lastOpDate;
+    }
+    public java.sql.Timestamp getLastOpDate() {
+        return this.lastOpDate;
+    }
+
+}
diff --git a/sdk/src/main/java/org/zstack/sdk/TokenIntrospectionAction.java b/sdk/src/main/java/org/zstack/sdk/TokenIntrospectionAction.java
@@ -0,0 +1,92 @@
+package org.zstack.sdk;
+
+import java.util.HashMap;
+import java.util.Map;
+import org.zstack.sdk.*;
+
+public class TokenIntrospectionAction extends AbstractAction {
+
+    private static final HashMap<String, Parameter> parameterMap = new HashMap<>();
+
+    private static final HashMap<String, Parameter> nonAPIParameterMap = new HashMap<>();
+
+    public static class Result {
+        public ErrorCode error;
+        public org.zstack.sdk.TokenIntrospectionResult value;
+
+        public Result throwExceptionIfError() {
+            if (error != null) {
+                throw new ApiException(
+                    String.format("error[code: %s, description: %s, details: %s]", error.code, error.description, error.details)
+                );
+            }
+
+            return this;
+        }
+    }
+
+    @Param(required = true, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
+    public java.lang.String token;
+
+    @Param(required = true, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
+    public java.lang.String tokenType;
+
+    @Param(required = false)
+    public java.util.List systemTags;
+
+    @Param(required = false)
+    public java.util.List userTags;
+
+    @NonAPIParam
+    public boolean isSuppressCredentialCheck = true;
+
+    @Param(required = false)
+    public String requestIp;
+
+
+    private Result makeResult(ApiResult res) {
+        Result ret = new Result();
+        if (res.error != null) {
+            ret.error = res.error;
+            return ret;
+        }
+
+        org.zstack.sdk.TokenIntrospectionResult value = res.getResult(org.zstack.sdk.TokenIntrospectionResult.class);
+        ret.value = value == null ? new org.zstack.sdk.TokenIntrospectionResult() : value; 
+
+        return ret;
+    }
+
+    public Result call() {
+        ApiResult res = ZSClient.call(this);
+        return makeResult(res);
+    }
+
+    public void call(final Completion<Result> completion) {
+        ZSClient.call(this, new InternalCompletion() {
+            @Override
+            public void complete(ApiResult res) {
+                completion.complete(makeResult(res));
+            }
+        });
+    }
+
+    protected Map<String, Parameter> getParameterMap() {
+        return parameterMap;
+    }
+
+    protected Map<String, Parameter> getNonAPIParameterMap() {
+        return nonAPIParameterMap;
+    }
+
+    protected RestInfo getRestInfo() {
+        RestInfo info = new RestInfo();
+        info.httpMethod = "POST";
+        info.path = "/token/introspect";
+        info.needSession = false;
+        info.needPoll = false;
+        info.parameterName = "params";
+        return info;
+    }
+
+}
diff --git a/sdk/src/main/java/org/zstack/sdk/TokenIntrospectionResult.java b/sdk/src/main/java/org/zstack/sdk/TokenIntrospectionResult.java
@@ -0,0 +1,14 @@
+package org.zstack.sdk;
+
+
+
+public class TokenIntrospectionResult {
+    public boolean active;
+    public void setActive(boolean active) {
+        this.active = active;
+    }
+    public boolean getActive() {
+        return this.active;
+    }
+
+}
diff --git a/sdk/src/main/java/org/zstack/sdk/sns/ChangeSNSApplicationEndpointStateAction.java b/sdk/src/main/java/org/zstack/sdk/sns/ChangeSNSApplicationEndpointStateAction.java
@@ -28,7 +28,7 @@ public Result throwExceptionIfError() {
     @Param(required = true, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
     public java.lang.String uuid;
 
-    @Param(required = true, validValues = {"enable","disable"}, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
+    @Param(required = true, validValues = {"enable","disable","hide"}, nonempty = false, nullElements = false, emptyString = true, noTrim = false)
     public java.lang.String stateEvent;
 
     @Param(required = false)

diff --git a/testlib/src/main/java/org/zstack/testlib/ApiHelper.groovy b/testlib/src/main/java/org/zstack/testlib/ApiHelper.groovy
@@ -38644,6 +38644,33 @@ abstract class ApiHelper {
     }
 
 
+    def tokenIntrospection(@DelegatesTo(strategy = Closure.OWNER_FIRST, value = org.zstack.sdk.TokenIntrospectionAction.class) Closure c) {
+        def a = new org.zstack.sdk.TokenIntrospectionAction()
+
+        c.resolveStrategy = Closure.OWNER_FIRST
+        c.delegate = a
+        c()
+
+
+        if (System.getProperty("apipath") != null) {
+            if (a.apiId == null) {
+                a.apiId = Platform.uuid
+            }
+
+            def tracker = new ApiPathTracker(a.apiId)
+            def out = errorOut(a.call())
+            def path = tracker.getApiPath()
+            if (!path.isEmpty()) {
+                Test.apiPaths[a.class.name] = path.join(" --->\n")
+            }
+
+            return out
+        } else {
+            return errorOut(a.call())
+        }
+    }
+
+
     def triggerGCJob(@DelegatesTo(strategy = Closure.OWNER_FIRST, value = org.zstack.sdk.TriggerGCJobAction.class) Closure c) {
         def a = new org.zstack.sdk.TriggerGCJobAction()
         a.sessionId = Test.currentEnvSpec?.session?.uuid

diff --git a/testlib/src/main/java/org/zstack/testlib/EnvSpec.groovy b/testlib/src/main/java/org/zstack/testlib/EnvSpec.groovy
@@ -700,13 +700,13 @@ class EnvSpec extends ApiHelper implements Node  {
                               "GarbageCollectorVO",
                               "GuestOsCategoryVO",
                               "TaskProgressVO", "TaskStepVO",
-                              "ResourceVO","SecurityGroupSequenceNumberVO", "MediaVO",
+                              "ResourceVO", "SecurityGroupSequenceNumberVO", "MediaVO",
                               "CaptchaVO", "LoginAttemptsVO", "SchedulerJobHistoryVO",
                               "HistoricalPasswordVO", "BuildAppExportHistoryVO", "InstallPathRecycleVO",
                               "PortMirrorSessionSequenceNumberVO", "LicenseHistoryVO", "EventLogVO", "VmSchedHistoryVO",
                               "EventRecordsVO", "AuditsVO", "AlarmRecordsVO", "VmCrashHistoryVO", "EncryptionIntegrityVO", "FileIntegrityVerificationVO",
                               "EncryptEntityMetadataVO", "VmInstanceDeviceAddressGroupVO", "HostOsCategoryVO", "KvmHostHypervisorMetadataVO",
-                              "HaStrategyConditionVO", "SystemTagVO", "ConsoleProxyAgentVO", "ConsoleProxyVO", "XmlHookVO"]) {
+                              "HaStrategyConditionVO", "SystemTagVO", "ConsoleProxyAgentVO", "ConsoleProxyVO", "XmlHookVO", "SSOServerTokenVO"]) {
                 // those tables will continue having entries during running a test suite
                 return
             }