Custom Scripts

By: Sakit Atakishiyev user 05 May 2017 at 6:07 a.m. CDT

30 Responses
Sakit Atakishiyev gravatar
Hello. I have some problems that are relating to custom scripts. I want to create custom authurization script. It is my example : I have some users . I created 2 groups : A and B. I added some of users to group A. I wanna make that if user is not in group A , he will not able to call certain scope . That is why i created policy(custom script) and added it to that scope . I added custom attributea what keep groups' inums ("allowed_groups") . Problem is that : When user call scope , i cannot get user's data in script . In oAuth , there is authorizationContext.getUserClaim("memberOf") or authorizationContext.getUserClaimByLdapName("memberOf") . But they doesn't wotk . How can i get user's data in authorizationcontext or in my custom script ? It is my code example : ``` from org.xdi.model.custom.script.type.uma import AuthorizationPolicyType from org.xdi.util import StringHelper, ArrayHelper from java.util import Arrays, ArrayList, HashSet from org.xdi.oxauth.service.uma.authorization import AuthorizationContext import java class AuthorizationPolicy(AuthorizationPolicyType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, configurationAttributes): print "UMA authorization policy. Initialization" self.groupsSet = self.prepareGroupsSet(configurationAttributes) print "UMA authorization policy. Initialization. Count authorized group: %s" % self.groupsSet.size() print "UMA authorization policy. Initialized successfully" return True def destroy(self, configurationAttributes): print "UMA authorization policy. Destroy" print "UMA authorization policy. Destroyed successfully" return True def getApiVersion(self): return 1 # Process policy rule # authorizationContext is org.xdi.oxauth.service.uma.authorization.AuthorizationContext # configurationAttributes is java.util.Map<String, SimpleCustomProperty> def authorize(self, authorizationContext, configurationAttributes): print "UMA Authorization policy. Attempting to authorize group" groups_of_user = authorizationContext.getGrant().getUser().getAttribute("memberOf") print "UMA Authorization policy. Groups of User: ", groups_of_user j = 0 count_of_groups = len(groups_of_user) while (j < count_of_groups): group = groups_of_user[j] j = j + 1 if (self.groupsSet.contains(group)): print "UMA Authorization policy. Authorizing group" return True print "UMA Authorization policy. Group isn't authorized" return False def prepareGroupsSet(self, configurationAttributes): groupsSet = HashSet() if (not configurationAttributes.containsKey("allowed_groups")): return groupsSet allowedGroupsList = configurationAttributes.get("allowed_groups").getValue2() if (StringHelper.isEmpty(allowedGroupsList)): print "UMA authorization policy. Initialization. The property allowed_groups is empty" return groupsSet allowedGroupsListArray = StringHelper.split(allowedGroupsList, ",") if (ArrayHelper.isEmpty(allowedGroupsListArray)): print "UMA authorization policy. Initialization. There aren't groups specified in allowed_groups property" return groupsSet # Convert to HashSet to quick search i = 0 count = len(allowedGroupsListArray) while (i < count): group = allowedGroupsListArray[i] groupsSet.add(group) i = i + 1 return groupsSet ``` //// groups_of_user = authorizationContext.getGrant().getUser().getAttribute("memberOf") This row does not return user's groups to me . I also used this code example . But again i could not get user's data. ``` from org.xdi.oxauth.service.uma.authorization import IPolicyExternalAuthorization from org.xdi.util import StringHelper class PythonExternalAuthorization(IPolicyExternalAuthorization): def authorize(self, authorizationContext): print "authorizing..." if StringHelper.equalsIgnoreCase(authorizationContext.getUserClaim("locality"), "Austin"): print "authorized" return True return False ```
U1404
closed

Answers

By Michael Schwartz Account Admin 07 May 2017 at 2:50 p.m. CDT

Copy
Michael Schwartz gravatar
Was this issue resolved?

By Sakit Atakishiyev user 08 May 2017 at 12:10 a.m. CDT

Copy
Sakit Atakishiyev gravatar
No . I'm waiting for your help

By Michael Schwartz Account Admin 08 May 2017 at 8:24 a.m. CDT

Copy
Michael Schwartz gravatar
Are you passing the AAT per Yuriy's latest build?

By Sakit Atakishiyev user 08 May 2017 at 8:36 a.m. CDT

Copy
Sakit Atakishiyev gravatar
What do you mean ?

By Michael Schwartz Account Admin 08 May 2017 at 8:47 a.m. CDT

Copy
Michael Schwartz gravatar
Available in beta branch here: https://github.com/GluuFederation/oxd/tree/version_3.1.0_beta Maven repo : https://ox.gluu.org/maven/org/xdi/oxd-server/3.1.0_beta/ Workflow should look as : 1. `get_authorization_url` and make sure that "uma_authorization" scope is present (required for AAT) 2. redirects end-user for authentication and authorization 3. call `get_tokens_by_code` and get back access_token 4. use that access_token as AAT, for this call `uma_rp_get_rpt` command with additional OPTIONAL `aat` parameter Command request looks as this: ``` { "command":"uma_rp_get_rpt", "params": { "oxd_id":"6F9619FF-8B86-D011-B42D-00CF4FC964FF", <- REQUIRED "aat": "<AAT>", <- OPTIONAL access_token with uma_authorization scope "force_new": false <- REQUIRED indicates whether return new RPT, in general should be false, so oxd server can cache/reuse same RPT } } ```

By Sakit Atakishiyev user 08 May 2017 at 9 a.m. CDT

Copy
Sakit Atakishiyev gravatar
I got it . I will return to you after trying that. Thank you

By Sakit Atakishiyev user 17 May 2017 at 6:28 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Hi . I passed AAT when i called uma_rp_get_rpt . But i got error again. Problem is that : 2017-05-17 14:11:30,796 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"uma_rp_get_rpt","params":{"aat":"dda7449a-981a-4307-9757-1bb33f9a47e6","oxd_id":"37ea6600-c15a-464c-9a1b-8e3ff6cbfb81","force_new":false,"protection_access_token":null}}', m_leftString=''} 2017-05-17 14:11:30,796 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"uma_rp_get_rpt","params":{"aat":"dda7449a-981a-4307-9757-1bb33f9a47e6","oxd_id":"37ea6600-c15a-464c-9a1b-8e3ff6cbfb81","force_new":false,"protection_access_token":null}} 2017-05-17 14:11:30,798 DEBUG [org.xdi.oxd.server.service.UmaTokenService] PAT from site configuration, PAT: c9a75ce0-ea4d-424c-a2d9-19dc61a075d0 2017-05-17 14:11:30,831 ERROR [org.xdi.oxd.server.Processor] IOException org.jboss.resteasy.client.exception.ResteasyIOException: IOException at org.jboss.resteasy.client.exception.mapper.ApacheHttpClient4ExceptionMapper.mapIOException(ApacheHttpClient4ExceptionMapper.java:109) at org.jboss.resteasy.client.exception.mapper.ApacheHttpClient4ExceptionMapper.toException(ApacheHttpClient4ExceptionMapper.java:66) at org.jboss.resteasy.client.exception.mapper.ApacheHttpClient4ExceptionMapper.toException(ApacheHttpClient4ExceptionMapper.java:58) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:120) at org.jboss.resteasy.client.core.ClientProxy.invoke(ClientProxy.java:89) at com.sun.proxy.$Proxy45.introspectToken(Unknown Source) at org.xdi.oxd.server.service.UmaTokenService.putAat(UmaTokenService.java:340) at org.xdi.oxd.server.op.RpGetRptOperation.execute(RpGetRptOperation.java:31) at org.xdi.oxd.server.op.RpGetRptOperation.execute(RpGetRptOperation.java:20) at org.xdi.oxd.server.Processor.process(Processor.java:78) at org.xdi.oxd.server.Processor.process(Processor.java:53) at org.xdi.oxd.server.SocketProcessor.run(SocketProcessor.java:60) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor.execute(ApacheHttpClient4Executor.java:195) at org.jboss.resteasy.client.ClientRequest.execute(ClientRequest.java:439) at org.jboss.resteasy.client.ClientRequest.httpMethod(ClientRequest.java:686) at org.jboss.resteasy.client.core.ClientInvoker.invoke(ClientInvoker.java:113) ... 11 more 2017-05-17 14:11:30,855 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"error","data":{"error":"internal_error","error_description":"Unknown internal server error occurs."}} 2017-05-17 14:11:30,855 ERROR [org.xdi.oxd.server.SocketProcessor] Quit. Enable to process command.

By Sakit Atakishiyev user 17 May 2017 at 11:52 p.m. CDT

Copy
Sakit Atakishiyev gravatar
Kindle Reminder :)

By William Lowe user 18 May 2017 at 9:08 a.m. CDT

Copy
William Lowe gravatar
Sakit, The nature of community support is that we get to questions as we can... that's the best we can do for free! Thanks, Will

By Sakit Atakishiyev user 18 May 2017 at 9:20 a.m. CDT

Copy
Sakit Atakishiyev gravatar
I understand you . But it is bug :) What is your offer for this issue ?

By Yuriy Zabrovarnyy staff 18 May 2017 at 3:32 p.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
It's fixed in master branch. Just integrated into 3.1.0_beta too. Repo updated, please take latest version (re-download it): [https://ox.gluu.org/maven/org/xdi/oxd-server/3.1.0_beta/](https://ox.gluu.org/maven/org/xdi/oxd-server/3.1.0_beta/) Thanks, Yuriy

By Sakit Atakishiyev user 19 May 2017 at 12:18 a.m. CDT

Copy
Sakit Atakishiyev gravatar
I am aware of that . I use this version: https://ox.gluu.org/maven/org/xdi/oxd-server/3.1.0-SNAPSHOT/ What else can be ?

By Yuriy Zabrovarnyy staff 19 May 2017 at 1:36 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
I updated in maven repo only 3.1.0_beta. Do you mean it does not work for you with beta? Can you provide full oxd-server.log?

By Yuriy Zabrovarnyy staff 19 May 2017 at 3:52 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
From logs I can see that you use build from "May 5" which of course does not have fix. I prepared fix in beta version of oxd. Would you please try beta? If there is any issues with that beta version please report directly here. Thanks, Yuriy

By Yuriy Zabrovarnyy staff 19 May 2017 at 6:33 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
I see typo, fixing it. Stay tuned ...

By Yuriy Zabrovarnyy staff 19 May 2017 at 6:38 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Fixed, please download new beta build from maven repo ``` https://ox.gluu.org/maven/org/xdi/oxd-server/3.1.0_beta/ ``` Also would you be so kind to attach `oxd-server.log` as file. It is more convenient to read file instead of inlining log directly. Thanks, Yuriy

By Sakit Atakishiyev user 19 May 2017 at 7:53 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Good work . Now i'm checking custom authorization scripts . I will back after checking. Thank you so much .

By Sakit Atakishiyev user 23 May 2017 at 8:59 a.m. CDT

Copy
Sakit Atakishiyev gravatar
I faced with another conflict. I generated policy(uma custom script).In that script i just print user's data to console(log) and i see that information in this log(/opt/gluu/jetty/oxauth/logs/oxauth_script.log) . Then I added it to certain scope of resource and started calling check_access endpoint. First time i called check_access , script worked and user's data(i mean user_dn , user_id etc.) was printed to that log . That is ok. Then i tried to check access with other user but with the same client_id and that script did not work ,i mean nothing was printed. What is the reason of it ?

By Yuriy Zabrovarnyy staff 23 May 2017 at 9:52 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
It's hard to guess without code or anything but I will try ... Authorization script is called during `uma_rp_authorize_rpt` command. On `uma_rs_check_access` command it introspects RPT and checks whether it has access (it does not call authorization script). I guess in first case you call also `uma_rp_authorize_rpt` somewhere which leads to script triggering. In second case you don't authorization command, so it is not triggered. Hope it helps, Yuriy

By Sakit Atakishiyev user 24 May 2017 at 3:42 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Hi again. I got it and corrected that.Thanks . But I faced with another issue.I have user that is including into many groups , i mean he has many memberOf claims.I want to use all these memberOf claims in custom script . That is why i use this method : authorizationContext.getUserClaim("memberOf") or authorizationContext.getGrant().getUser().getAttribute("memberOf") But these methods return only one memberOf value not list . How can i get all values that named memberOf?

By Yuriy Zabrovarnyy staff 24 May 2017 at 3:56 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
I've just checked code and it is true, it fetches only first value of the entry. Added method to get entire entry in 3.1 version here: https://github.com/GluuFederation/oxAuth/commit/24bfad71d2461b6700ca25f975f299602dd2ccdc You can pull sources and build oxauth.war file. Thanks, Yuriy

By Sakit Atakishiyev user 24 May 2017 at 5:23 a.m. CDT

Copy
Sakit Atakishiyev gravatar
I got it . Now I am checking. Thanks

By Sakit Atakishiyev user 30 May 2017 at 7:51 a.m. CDT

Copy
Sakit Atakishiyev gravatar
Hi . I checked that , But it seems issue was not resolved , I use this code block : ``` def authorize(self, authorizationContext, configurationAttributes): print "DEON user_id : ",authorizationContext.getGrant().getUserId() print "DEON getUserClaimEntryByLdapName: ",authorizationContext.getUserClaimEntryByLdapName("memberOf") print "DEON getUserClaimByLdapName: ",authorizationContext.getUserClaimByLdapName("memberOf") return True ``` But again these methods do not return me list . So here my results : ``` 2017-05-30 12:42:56,195 INFO [qtp242131142-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:219) - DEON user_id : 2017-05-30 12:42:56,198 INFO [qtp242131142-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:219) - admin 2017-05-30 12:42:56,200 INFO [qtp242131142-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:219) - DEON getUserClaimEntryByLdapName: 2017-05-30 12:42:56,202 INFO [qtp242131142-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:219) - BaseEntry [dn=inum=@!1F9C.4F7F.95C9.1E65!0001!52EC.A76A!0000!A8F2.DE1E.D7FB,ou=people,o=@!1F9C.4F7F.95C9.1E65!0001!52EC.A76A,o=gluu] 2017-05-30 12:42:56,202 INFO [qtp242131142-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:219) - DEON getUserClaimByLdapName: 2017-05-30 12:42:56,206 INFO [qtp242131142-14] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:219) - inum=@!1F9C.4F7F.95C9.1E65!0001!52EC.A76A!0003!60B7,ou=groups,o=@!1F9C.4F7F.95C9.1E65!0001!52EC.A76A,o=gluu ```

By Yuriy Zabrovarnyy staff 30 May 2017 at 8:08 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Sakit, Do you get entire entry if you call ? ``` getUserClaimEntryByLdapName(null) ``` ``` https://github.com/GluuFederation/oxCore/blob/master/oxLdap/src/main/java/org/xdi/ldap/model/CustomEntry.java#L24-24 ```

By Sakit Atakishiyev user 30 May 2017 at 8:13 a.m. CDT

Copy
Sakit Atakishiyev gravatar
No . I do not get entire entry . Even result is not releating to what i expect, as you see. I mean , i call this method : authorizationContext.getUserClaimEntryByLdapName("memberOf") Result of this must be list of groups that user exist , Because that user have many groups. But this is the result : BaseEntry [dn=inum=@!1F9C.4F7F.95C9.1E65!0001!52EC.A76A!0000!A8F2.DE1E.D7FB,ou=people,o=@!1F9C.4F7F.95C9.1E65!0001!52EC.A76A,o=gluu]

By Yuriy Zabrovarnyy staff 30 May 2017 at 8:23 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Ok, I think it's misunderstanding, method returns `CustomEntry` which is object, so you have to call `getCustomAttributeValue` and iterate via attributes. From what I see you passed `CustomEntry` object to print method which calls `toString` and shows the DN of the entry. Would you please iterate over the attributes?

By Yuriy Zabrovarnyy staff 30 May 2017 at 8:26 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Here it is ``` https://github.com/GluuFederation/oxCore/blob/master/oxLdap/src/main/java/org/xdi/ldap/model/BaseEntry.java#L46-46 ```

By Sakit Atakishiyev user 30 May 2017 at 8:26 a.m. CDT

Copy
Sakit Atakishiyev gravatar
I got it , I'm checking now . Thanks

By Sakit Atakishiyev user 30 May 2017 at 9:04 a.m. CDT

Copy
Sakit Atakishiyev gravatar
It worked . Good Work!! Eventually i closed this ticket )). Thanks.

By William Lowe user 30 May 2017 at 9:07 a.m. CDT

Copy
William Lowe gravatar
Great to hear! Thanks for your persistence.

Post an answer