add feature to use saml and ldap groups in parallel

README.md

@@ -1,10 +1,3 @@
-TAS version | Compatible?
---- | ---
-2.12 | ![CI](https://ci.cryo.cf-app.com/api/v1/teams/cf-mgmt/pipelines/cf-mgmt/jobs/test-against-tas-2_12/badge)
-2.11 | ![CI](https://ci.cryo.cf-app.com/api/v1/teams/cf-mgmt/pipelines/cf-mgmt/jobs/test-against-tas-2_11_lts2/badge)
-2.10 | ![CI](https://ci.cryo.cf-app.com/api/v1/teams/cf-mgmt/pipelines/cf-mgmt/jobs/test-against-tas-2_10/badge)
-2.7 | ![CI](https://ci.cryo.cf-app.com/api/v1/teams/cf-mgmt/pipelines/cf-mgmt/jobs/test-against-tas-2_7_lts/badge)
-
 # Cloud Foundry Management (cf-mgmt)
 
 Go automation for managing orgs, spaces, users (from ldap groups or internal store) mapping to roles, quotas, application security groups and private-domains that can be driven from concourse pipeline and GIT managed metadata
@@ -109,6 +102,8 @@ Navigate into a directory in which will become your git repository for cf-mgmt c
    - [LDAP only config](docs/config/README.md#ldap-configuration)
    - [SAML with LDAP groups](docs/config/README.md#saml-configuration-with-ldap-group-lookups)
    - [SAML only](docs/config/README.md#saml-configuration)
+   - [SAML with LDAP groups and SAMl Groups](docs/config/README.md#saml-configuration-with-saml group-lookups-and-ldap-group-lookups)
+
 
 4. [Generate the concourse pipeline](docs/config/generate-concourse-pipeline/README.md) using `cf-mgmt-config`
     - ```cf-mgmt-config [OPTIONS] generate-concourse-pipeline [generate-concourse-pipeline-OPTIONS]```
@@ -221,7 +216,7 @@ Some portions of this code are autogenerated.  To regenerate them, install the p
 - `go get -u github.com/jteeuwen/go-bindata/...`
 - `go get -u github.com/maxbrunsfeld/counterfeiter`
 
-And then run `go generate ./...` from the project directory, or `go generate .`
+And then run `go generate $(glide nv)` from the project directory, or `go generate .`
 from a specific directory.
 
 ## Contributing

config/ldap.go

@@ -21,4 +21,9 @@ type LdapConfig struct {
 	UseIDForSAMLUser   bool   `yaml:"useIDForSAMLUser"`
 	MinTLSVersion      string `yaml:"minTLSVersion"`
 	MaxTLSVersion      string `yaml:"maxTLSVersion"`
+	LdapOrigin         string `yaml:"ldapOrigin"`
+	LdapUserFilter     string `yaml:"ldapUserFilter"`
+	SamlUserFilter     string `yaml:"samlUserFilter"`
+	LdapUserFilterMode string `yaml:"ldapUserFilterMode"`
+	SamlUserFilterMode string `yaml:"samlUserFilterMode"`
 }

config/org.go

@@ -125,3 +125,15 @@ func (o *OrgConfig) GetManagerGroups() []string {
 func (o *OrgConfig) GetAuditorGroups() []string {
 	return o.Auditor.groups(o.AuditorGroup)
 }
+
+func (o *OrgConfig) GetBillingManagerSamlGroups() []string {
+	return o.BillingManager.saml_groups(o.BillingManagerGroup)
+}
+
+func (o *OrgConfig) GetManagerSamlGroups() []string {
+	return o.Manager.saml_groups(o.ManagerGroup)
+}
+
+func (o *OrgConfig) GetAuditorSamlGroups() []string {
+	return o.Auditor.saml_groups(o.AuditorGroup)
+}

config/space.go

@@ -122,3 +122,15 @@ func (i *SpaceConfig) GetManagerGroups() []string {
 func (i *SpaceConfig) GetAuditorGroups() []string {
 	return i.Auditor.groups(i.AuditorGroup)
 }
+
+func (i *SpaceConfig) GetDeveloperSamlGroups() []string {
+	return i.Developer.saml_groups(i.DeveloperGroup)
+}
+
+func (i *SpaceConfig) GetManagerSamlGroups() []string {
+	return i.Manager.saml_groups(i.ManagerGroup)
+}
+
+func (i *SpaceConfig) GetAuditorSamlGroups() []string {
+	return i.Auditor.saml_groups(i.AuditorGroup)
+}

config/usermgmt.go

@@ -7,6 +7,7 @@ type UserMgmt struct {
 	SamlUsers  []string `yaml:"saml_users"`
 	LDAPGroup  string   `yaml:"ldap_group,omitempty"`
 	LDAPGroups []string `yaml:"ldap_groups"`
+	SAMLGroups []string `yaml:"saml_groups"`
 }
 
 // UserOrigin is an enum type encoding from what source a user originated.
@@ -25,6 +26,26 @@ const (
 	LDAPOrigin
 )
 
+// groups are always defined as ldap groups for compatibility
+func (u *UserMgmt) saml_groups(groupName string) []string {
+	groupMap := make(map[string]string)
+	for _, group := range u.SAMLGroups {
+		groupMap[group] = group
+	}
+	if groupName != "" {
+		groupMap[groupName] = groupName
+	}
+
+	result := make([]string, 0, len(groupMap))
+	for k := range groupMap {
+		result = append(result, k)
+	}
+	return result
+}
+
+// ne function to get the saml_groups (which are technically ldap groups, but the contained users will be synced)
+// to cf as user with saml origin
+
 func (u *UserMgmt) groups(groupName string) []string {
 	groupMap := make(map[string]string)
 	for _, group := range u.LDAPGroups {

config/yaml_config.go

@@ -553,6 +553,11 @@ func (m *yamlManager) LdapConfig(ldapBindUser, ldapBindPassword, ldapServer stri
 	if config.Origin == "" {
 		config.Origin = "ldap"
 	}
+
+	if config.LdapOrigin == "" {
+		config.LdapOrigin = config.Origin
+	}
+
 	return config, nil
 }
 

docs/config/README.md

@@ -411,6 +411,56 @@ minTLSVersion: 1.0
 maxTLSVersion: 1.3
 ```
 
+### SAML Configuration with saml group lookups AND ldap group lookups
+
+LDAP configuration file ```ldap.yml``` is located under the ```config``` folder. To have cf-mgmt create SAML users in UAA need to enable ldap to lookup the user information from an LDAP source to properly create the SAML users.  In orgConfig.yml and spaceConfig.yml leverage saml_groups.
+
+If you provide ldapOrigin in the ldap.yaml in addition to origin (which is the saml origin in this case) ldap_groups and ldap_users the users are created with ldapOrigin. If you do not provide ldapOrigin ldap_users and ldap_groups are created with Origin (in this case saml origin)
+```yml
+enabled: true
+ldapHost: 127.0.0.1
+ldapPort: 10389
+#true/false (default false)
+use_tls: true
+bindDN: uid=admin,ou=system
+userSearchBase: ou=users,dc=example,dc=com
+userNameAttribute: uid
+# optional added in v1.0.20+
+userObjectClass: <object class that matches your ldap/active directory configuration for users (inetOrgPerson, organizationalPerson)>
+userMailAttribute: mail
+groupSearchBase: ou=groups,dc=example,dc=com
+groupAttribute: member
+# optional added in v1.0.20+
+groupObjectClass: <object class that matches your ldap/active directory configuration for groups (group, groupOfNames)>
+origin: <needs to match origin configured for elastic runtime>
+ldapOrigin: "ldap"
+
+# optional added in 1.0.11+ - true/false
+insecure_skip_verify: false
+# optional added in 1.0.11+ if ldap server is signed by non-public CA provide ca pem here
+ca_cert: |
+
+# optional added in 1.0.37 - true/false.  If true it will use userid from ldap group lookup vs email address for userid
+useIDForSAMLUser: false
+
+# optional added in 1.0.47+ if omitted 1.0 is min, 1.3 is max.  Valid values 1.0, 1.1, 1.2, 1.3 or blank
+minTLSVersion: 1.0
+maxTLSVersion: 1.3
+```
+
+### Filtering saml_groups and ldap_groups
+
+LDAP configuration file ```ldap.yml``` is located under the ```config``` folder. If you leverage ldap_groups or saml_groups in orgConfig.yml and/or spaceConfig.yml, the users found in accordig groups may be filtered through a samlGroupFilter or ldapGroupFilter in ldap.yaml. Filter values may be all valid golang regular expressions. Via ldapUserFilterMode/samlUserFilterMode the filter can be set to include or exclude
+
+```yml
+ldapGroupFilter: "^foo"
+samlGroupFilter: ".*"
+ldapUserFilterMode: "include"
+samlUserFilterMode: "exclude"
+
+```
+
+
 ### SAML Configuration
 
 LDAP configuration file ```ldap.yml``` is located under the ```config``` folder. To have cf-mgmt create SAML users you can disable ldap integration for looking up users in ldap groups with v0.0.66+ as orgConfig.yml and spaceConfig.yml now includes a saml_users array attribute which can contain a list of email addresses.

ldap/types.go

@@ -17,4 +17,5 @@ type User struct {
 	UserDN string
 	UserID string
 	Email  string
+	Origin string
 }