Signed-off-by: Dimitar Milov <dmilov@vmware.com>
This commit is contained in:
dmilov
GitHub
@@ -0,0 +1,36 @@
|
||||
/*
|
||||
Copyright 2021 VMware, Inc.
|
||||
SPDX-License-Identifier: BSD-2-Clause
|
||||
*/
|
||||
|
||||
using System.Security.Cryptography.X509Certificates;
|
||||
|
||||
namespace VMware.vSphere.SsoAdminClient.DataTypes
|
||||
{
|
||||
public class AuthenticationPolicy
|
||||
{
|
||||
SsoAdminClient _client;
|
||||
public AuthenticationPolicy(SsoAdminClient client) {
|
||||
_client = client;
|
||||
}
|
||||
|
||||
public SsoAdminClient GetClient() {
|
||||
return _client;
|
||||
}
|
||||
|
||||
public bool PasswordAuthnEnabled { get; internal set; }
|
||||
public bool WindowsAuthnEnabled { get; internal set; }
|
||||
public bool SmartCardAuthnEnabled { get; internal set; }
|
||||
public bool OCSPEnabled { get; internal set; }
|
||||
public bool UseCRLAsFailOver { get; internal set; }
|
||||
public bool SendOCSPNonce { get; internal set; }
|
||||
public string OCSPUrl { get; internal set; }
|
||||
public X509Certificate2 OCSPResponderSigningCert { get; internal set; }
|
||||
public bool UseInCertCRL { get; internal set; }
|
||||
public string CRLUrl { get; internal set; }
|
||||
public int CRLCacheSize { get; internal set; }
|
||||
public string[] Oids { get; internal set; }
|
||||
public string[] TrustedCAs { get; internal set; }
|
||||
|
||||
}
|
||||
}
|
||||
@@ -1296,5 +1296,130 @@ namespace VMware.vSphere.SsoAdminClient
|
||||
}
|
||||
}
|
||||
#endregion
|
||||
|
||||
#region AuthenticationConfiguration
|
||||
public DataTypes.AuthenticationPolicy GetAuthenticationPolicy() {
|
||||
var authorizedInvocationContext =
|
||||
CreateAuthorizedInvocationContext();
|
||||
|
||||
var authnPolicy = authorizedInvocationContext.
|
||||
InvokeOperation(() =>
|
||||
_ssoAdminBindingClient.GetAuthnPolicyAsync(
|
||||
new ManagedObjectReference
|
||||
{
|
||||
type = "SsoAdminConfigurationManagementService",
|
||||
Value = "configurationManagementService"
|
||||
})).Result;
|
||||
|
||||
return new DataTypes.AuthenticationPolicy(this)
|
||||
{
|
||||
PasswordAuthnEnabled = authnPolicy.PasswordAuthnEnabled,
|
||||
WindowsAuthnEnabled = authnPolicy.WindowsAuthEnabled,
|
||||
SmartCardAuthnEnabled = authnPolicy.CertAuthEnabled,
|
||||
CRLCacheSize = authnPolicy.clientCertPolicy.crlCacheSize,
|
||||
CRLUrl = authnPolicy.clientCertPolicy.crlUrl,
|
||||
OCSPEnabled = authnPolicy.clientCertPolicy.ocspEnabled,
|
||||
OCSPResponderSigningCert = string.IsNullOrEmpty(authnPolicy.clientCertPolicy.ocspResponderSigningCert) ? null : new X509Certificate2(authnPolicy.clientCertPolicy.ocspResponderSigningCert),
|
||||
OCSPUrl = authnPolicy.clientCertPolicy.ocspUrl,
|
||||
Oids = authnPolicy.clientCertPolicy.oids,
|
||||
SendOCSPNonce = authnPolicy.clientCertPolicy.sendOCSPNonce,
|
||||
TrustedCAs = authnPolicy.clientCertPolicy.trustedCAs,
|
||||
UseCRLAsFailOver = authnPolicy.clientCertPolicy.useCRLAsFailOver,
|
||||
UseInCertCRL = authnPolicy.clientCertPolicy.useInCertCRL
|
||||
};
|
||||
}
|
||||
|
||||
public void SetAuthenticationPolicy(
|
||||
bool passwordAuthnEnabled,
|
||||
bool windowsAuthnEnabled,
|
||||
bool smartCardAuthnEnabled,
|
||||
int crlCacheSize,
|
||||
string crlUrl,
|
||||
bool ocspEnabled,
|
||||
X509Certificate2 ocspResponderSigningCert,
|
||||
string ocspUrl,
|
||||
string[] oids,
|
||||
bool sendOCSPNonce,
|
||||
string[] trustedCAs,
|
||||
bool useCRLAsFailOver,
|
||||
bool useInCertCRL
|
||||
) {
|
||||
var authorizedInvocationContext =
|
||||
CreateAuthorizedInvocationContext();
|
||||
|
||||
var ssoAdminAuthnPolicy = new SsoAdminAuthnPolicy{
|
||||
PasswordAuthnEnabled = passwordAuthnEnabled,
|
||||
WindowsAuthEnabled = windowsAuthnEnabled,
|
||||
CertAuthEnabled = smartCardAuthnEnabled,
|
||||
clientCertPolicy = new SsoAdminClientCertPolicy {
|
||||
enabled = smartCardAuthnEnabled,
|
||||
crlCacheSize = crlCacheSize,
|
||||
crlUrl = crlUrl,
|
||||
ocspEnabled = ocspEnabled,
|
||||
ocspUrl = ocspUrl,
|
||||
oids = oids,
|
||||
sendOCSPNonce = sendOCSPNonce,
|
||||
trustedCAs = trustedCAs,
|
||||
useCRLAsFailOver = useCRLAsFailOver,
|
||||
useInCertCRL = useInCertCRL
|
||||
}
|
||||
};
|
||||
if (ocspResponderSigningCert != null) {
|
||||
ssoAdminAuthnPolicy.clientCertPolicy.ocspResponderSigningCert = Convert.ToBase64String(ocspResponderSigningCert.Export(X509ContentType.Cert), Base64FormattingOptions.InsertLineBreaks);
|
||||
}
|
||||
|
||||
|
||||
authorizedInvocationContext.
|
||||
InvokeOperation(() =>
|
||||
_ssoAdminBindingClient.SetAuthnPolicyAsync(
|
||||
new ManagedObjectReference
|
||||
{
|
||||
type = "SsoAdminConfigurationManagementService",
|
||||
Value = "configurationManagementService"
|
||||
},
|
||||
ssoAdminAuthnPolicy
|
||||
)).Wait();
|
||||
}
|
||||
#endregion
|
||||
|
||||
#region Global Permission
|
||||
public void SetRoleForUser(DataTypes.PersonUser user, string role) {
|
||||
var authorizedInvocationContext =
|
||||
CreateAuthorizedInvocationContext();
|
||||
|
||||
var authnPolicy = authorizedInvocationContext.
|
||||
InvokeOperation(() =>
|
||||
_ssoAdminBindingClient.SetRoleAsync(
|
||||
new ManagedObjectReference
|
||||
{
|
||||
type = "SsoAdminRoleManagementService",
|
||||
Value = "roleManagementService"
|
||||
},
|
||||
new SsoPrincipalId{
|
||||
domain = user.Domain,
|
||||
name = user.Name
|
||||
},
|
||||
role)).Result;
|
||||
}
|
||||
|
||||
public void SetRoleForGroup(DataTypes.Group group, string role) {
|
||||
var authorizedInvocationContext =
|
||||
CreateAuthorizedInvocationContext();
|
||||
|
||||
var authnPolicy = authorizedInvocationContext.
|
||||
InvokeOperation(() =>
|
||||
_ssoAdminBindingClient.SetRoleAsync(
|
||||
new ManagedObjectReference
|
||||
{
|
||||
type = "SsoAdminRoleManagementService",
|
||||
Value = "roleManagementService"
|
||||
},
|
||||
new SsoPrincipalId{
|
||||
domain = group.Domain,
|
||||
name = group.Name
|
||||
},
|
||||
role)).Result;
|
||||
}
|
||||
#endregion
|
||||
}
|
||||
}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
BIN
Modules/VMware.vSphere.SsoAdmin/src/resources/powercli.png
Normal file
BIN
Modules/VMware.vSphere.SsoAdmin/src/resources/powercli.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 4.6 KiB |
@@ -0,0 +1,95 @@
|
||||
<#
|
||||
Copyright 2021 VMware, Inc.
|
||||
SPDX-License-Identifier: BSD-2-Clause
|
||||
#>
|
||||
|
||||
param(
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]
|
||||
$VcAddress,
|
||||
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]
|
||||
$User,
|
||||
|
||||
[Parameter(Mandatory = $true)]
|
||||
[string]
|
||||
$Password
|
||||
)
|
||||
|
||||
# Import Vmware.vSphere.SsoAdmin Module
|
||||
$modulePath = Join-Path (Split-Path $PSScriptRoot | Split-Path) "VMware.vSphere.SsoAdmin.psd1"
|
||||
Import-Module $modulePath
|
||||
|
||||
Describe "AuthentcicationPolicy Tests" {
|
||||
BeforeEach {
|
||||
$connection = Connect-SsoAdminServer `
|
||||
-Server $VcAddress `
|
||||
-User $User `
|
||||
-Password $Password `
|
||||
-SkipCertificateCheck
|
||||
}
|
||||
AfterEach {
|
||||
$connectionsToCleanup = $global:DefaultSsoAdminServers.ToArray()
|
||||
foreach ($connection in $connectionsToCleanup) {
|
||||
Disconnect-SsoAdminServer -Server $connection
|
||||
}
|
||||
}
|
||||
|
||||
Context "Get-SsoAuthenticationPolicy" {
|
||||
It 'Retrieves Authentication Policy' {
|
||||
# Act
|
||||
$actual = Get-SsoAuthenticationPolicy
|
||||
|
||||
# Assert
|
||||
$actual | Should -Not -Be $null
|
||||
$actual.GetType().FullName | Should -Be 'VMware.vSphere.SsoAdminClient.DataTypes.AuthenticationPolicy'
|
||||
$actual.PasswordAuthnEnabled | Should -Be $true
|
||||
}
|
||||
}
|
||||
|
||||
Context "Set-SsoAuthenticationPolicy" {
|
||||
It 'Updates AuthenticationPolicy enabling and disabling Smart Card authetication' {
|
||||
# Arrange
|
||||
$expected = Get-SsoAuthenticationPolicy
|
||||
|
||||
# Act
|
||||
$actual = $expected | Set-SsoAuthenticationPolicy -SmartCardAuthnEnabled $true
|
||||
|
||||
# Assert
|
||||
$actual | Should -Not -Be $null
|
||||
$actual.GetType().FullName | Should -Be 'VMware.vSphere.SsoAdminClient.DataTypes.AuthenticationPolicy'
|
||||
$actual.SmartCardAuthnEnabled | Should -Be $true
|
||||
## Assert other properties are not modified
|
||||
$actual.PasswordAuthnEnabled | Should -Be $expected.PasswordAuthnEnabled
|
||||
$actual.WindowsAuthnEnabled | Should -Be $expected.WindowsAuthnEnabled
|
||||
$actual.CRLCacheSize | Should -Be $expected.CRLCacheSize
|
||||
$actual.CRLUrl | Should -Be $expected.CRLUrl
|
||||
$actual.OCSPEnabled | Should -Be $expected.OCSPEnabled
|
||||
$actual.OCSPResponderSigningCert | Should -Be $expected.OCSPResponderSigningCert
|
||||
$actual.OCSPUrl | Should -Be $expected.OCSPUrl
|
||||
$actual.OIDs | Should -Be $expected.OIDs
|
||||
$actual.SendOCSPNonce | Should -Be $expected.SendOCSPNonce
|
||||
$actual.TrustedCAs | Should -Be $expected.TrustedCAs
|
||||
$actual.UseCRLAsFailOver | Should -Be $expected.UseCRLAsFailOver
|
||||
$actual.UseInCertCRL | Should -Be $expected.UseInCertCRL
|
||||
|
||||
# Revert SmartCardAuthnEnabled to $false
|
||||
$actual = $actual | Set-SsoAuthenticationPolicy -SmartCardAuthnEnabled $false
|
||||
$actual.SmartCardAuthnEnabled | Should -Be $false
|
||||
## Assert other properties are not modified
|
||||
$actual.PasswordAuthnEnabled | Should -Be $expected.PasswordAuthnEnabled
|
||||
$actual.WindowsAuthnEnabled | Should -Be $expected.WindowsAuthnEnabled
|
||||
$actual.CRLCacheSize | Should -Be $expected.CRLCacheSize
|
||||
$actual.CRLUrl | Should -Be $expected.CRLUrl
|
||||
$actual.OCSPEnabled | Should -Be $expected.OCSPEnabled
|
||||
$actual.OCSPResponderSigningCert | Should -Be $expected.OCSPResponderSigningCert
|
||||
$actual.OCSPUrl | Should -Be $expected.OCSPUrl
|
||||
$actual.OIDs | Should -Be $expected.OIDs
|
||||
$actual.SendOCSPNonce | Should -Be $expected.SendOCSPNonce
|
||||
$actual.TrustedCAs | Should -Be $expected.TrustedCAs
|
||||
$actual.UseCRLAsFailOver | Should -Be $expected.UseCRLAsFailOver
|
||||
$actual.UseInCertCRL | Should -Be $expected.UseInCertCRL
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user