Fix gateway user calculation for checking gw user against LDAP policy.

Add comment to SPP access request and also as metadata in audit trail about the original user UPN.
OneIdentity · Jun 9, 2021 · bf6e7b9 · bf6e7b9
1 parent 99d53fc
commit bf6e7b9
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 23 deletions.
diff --git a/default.cfg b/default.cfg
@@ -19,18 +19,14 @@
 # type $$ instead. For more information, read the "Store sensitive plugin data
 # securely" section in the Tutorial document.
 [plugin]
-# Whether to split the username along to '@' sign into a username and domain part.
-# Keep default 'yes' if in doubt.
-; split_username=yes
-
 # Which authentication provider for the user in SPP to authorize the user.
 # If left unset then the domain part of the username is used.
 ; spp_auth_provider=Local
 
 # To change the external domain name of users to an internal domain name,
 # e.g. [email protected] to x.y@private, set replace_domain to the desired value.
 # This new domain name would be used as the auth provider in SPP.
-; replace_domain=quest.internal
+; replace_domain=company.internal
 
 # To refuse connection from some networks, set up exclude_networks list.
 # Useful for stopping users from connecting from a local network.

diff --git a/plugin/plugin.py b/plugin/plugin.py
@@ -30,30 +30,31 @@ class Plugin(AAPlugin):
     def _extract_mfa_password(self):
         return 'can pass'
 
+    def _extract_username(self):
+        username = super()._extract_username()
+        self.original_username = username
+        new_domain = self.plugin_configuration.get(PLUGIN_SECTION, 'replace_domain')
+        if new_domain:
+            (username, domain) = split_username(username)
+            return username + '@' + new_domain
+        return username
+
+    @cookie_property
+    def original_username(self):
+        pass
+
     @cookie_property
     def spp_username(self):
-        if self.plugin_configuration.getboolean(PLUGIN_SECTION, 'split_username', True):
-            (username, domain) = self.split_username()
-            return username
-        return self.username
+        (username, domain) = split_username(self.username)
+        return username
 
     @cookie_property
     def spp_auth_provider(self):
         provider = self.plugin_configuration.get(PLUGIN_SECTION, 'spp_auth_provider')
         if provider:
             return provider
-        new_domain = self.plugin_configuration.get(PLUGIN_SECTION, 'replace_domain')
-        if new_domain:
-            return new_domain
-        (username, domain) = self.split_username()
-        return domain
-
-    def split_username(self):
-        if '@' not in self.username:
-            return self.username, ""
-        username_r = self.username[::-1]
-        atidx = len(username_r) - username_r.find('@')
-        return self.username[:atidx - 1], self.username[atidx:]
+        (username, domain) = split_username(self.username)
+        return domain if domain else 'Local'
 
     def do_authenticate(self):
         self.session_cookie.setdefault("SessionId", self.connection.session_id)
@@ -139,6 +140,7 @@ def do_authorize(self):
                     auth_provider=self.spp_auth_provider,
                     auth_user=self.spp_username,
                     protocol=self.connection.protocol,
+                    reason_comment=self.session_comment()
                 )
                 self.session_cookie["WorkflowStatus"] = "access-requested"
                 self.session_cookie["AccessRequestId"] = access_request["Id"]
@@ -211,7 +213,7 @@ def do_authorize(self):
 
             return {"verdict": "DENY"}
 
-        return AAResponse.accept()
+        return AAResponse.accept(self.session_comment())
 
     def is_client_excluded(self):
         client_address = ip_address(self.connection.client_ip)
@@ -222,6 +224,9 @@ def is_client_excluded(self):
                 return True
         return False
 
+    def session_comment(self):
+        return 'SRA,gateway_user_external_upn={}'.format(self.original_username)
+
     def do_session_ended(self):
         try:
             session_id = self.session_cookie["SessionId"]
@@ -312,3 +317,11 @@ def delete(self):
             os.remove(os.path.join(self.path))
         except FileNotFoundError:
             pass
+
+
+def split_username(username):
+    if '@' not in username:
+        return username, None
+    username_r = username[::-1]
+    atidx = len(username_r) - username_r.find('@')
+    return username[:atidx - 1], username[atidx:]
diff --git a/plugin/vault.py b/plugin/vault.py
@@ -203,7 +203,7 @@ def get_accounts_in_scope_for_asset_by_name(
         return self._get(url, parameters=request, auth="SPSInteractive")
 
     def create_access_request(
-        self, *, asset_id, account_id, auth_provider, auth_user, protocol
+        self, *, asset_id, account_id, auth_provider, auth_user, protocol, reason_comment
     ):
         print("Create access request")
 
@@ -217,6 +217,7 @@ def create_access_request(
             "ForProvider": auth_provider,
             "AccessRequestType": protocol,
             "ReasonCode": "SPS",
+            "ReasonComment": reason_comment
         }
 
         return self._post(url, post_data=access_request, auth="SPSInteractive")