Initial implementation of Kerberos Provisioner (CFM-485)

app/availableplugins/KerberosConnector/config/plugin.json

@@ -0,0 +1,43 @@
+{
+  "types": {
+    "provisioning_target": [
+      "KerberosProvisioners"
+    ],
+    "server": [
+      "KerberosServers"
+    ]
+  },
+  "schema": {
+    "tables": {
+      "kerberos_servers": {
+        "columns": {
+          "id": {},
+          "server_id": {},
+          "hostname": { "type": "string", "size": 256 },
+          "port": { "type": "integer" },
+          "realm": { "type": "string", "size": 256 },
+          "admin_principal": { "type": "string", "size": 256 },
+          "keytab_path": { "type": "string", "size": 256 }
+        },
+        "indexes": {
+          "kerberos_servers_i1": { "columns": [ "server_id" ]}
+        }
+      },
+      "kerberos_provisioners": {
+        "columns": {
+          "id": {},
+          "provisioning_target_id": {},
+          "server_id": { "notnull": false },
+          "type_id": { "notnull": false },
+          "authenticator_id": { "notnull": false }
+        },
+        "indexes": {
+          "kerberos_provisioners_i1": { "columns": [ "provisioning_target_id" ]},
+          "kerberos_provisioners_i2": { "columns": [ "server_id" ]},
+          "kerberos_provisioners_i3": { "columns": [ "type_id" ]},
+          "kerberos_provisioners_i4": { "columns": [ "authenticator_id" ]}
+        }
+      }
+    }
+  }
+}

app/availableplugins/KerberosConnector/resources/locales/en_US/kerberos_connector.po

@@ -0,0 +1,96 @@
+# COmanage Registry Localizations (kerberos_connector domain)
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# @link          https://www.internet2.edu/comanage COmanage Project
+# @package       registry-plugins
+# @since         COmanage Registry v5.2.0
+# @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+
+msgid "controller.KerberosServers"
+msgstr "{0,plural,=1{Kerberos Server} other{Kerberos Servers}}"
+
+msgid "error.KerberosServers.admin.cfg"
+msgstr "Kerberos Server configuration does not have admin principal or keytab"
+
+msgid "error.principal.identifier"
+msgstr "No Identifier of configured type found, unable to construct principal"
+
+msgid "field.admin_principal"
+msgstr "Admin Principal"
+
+msgid "field.admin_principal.desc"
+msgstr "The admin principal to bind to the KDC as, required for admin operations only"
+
+msgid "field.authenticator_id"
+msgstr "Password Authenticator"
+
+msgid "field.authenticator_id.desc"
+msgstr "The Password Authenticator whose value to use to provision the Kerberos Server."
+
+msgid "field.keytab_path"
+msgstr "Keytab Path"
+
+msgid "field.keytab_path.desc"
+msgstr "The filesystem path to the keytab file holding credentials for the admin principal, required for admin operations only"
+
+msgid "field.realm"
+msgstr "Kerberos Realm"
+
+msgid "field.realm.desc"
+msgstr "The Realm is case sensitive"
+
+msgid "field.server_id"
+msgstr "Kerberos Server"
+
+msgid "field.server_id.desc"
+msgstr "The Kerberos Server must be configured with an Admin Principal and Keytab Path."
+
+msgid "field.type_id"
+msgstr "Principal Identifier Type"
+
+msgid "field.type_id.desc"
+msgstr "The Identifier Type used to construct the subject Principal. The Identifier value should not include the Kerberos Realm."
+
+msgid "result.created"
+msgstr "Created new principal {0}"
+
+msgid "result.never"
+msgstr "Never"
+
+msgid "result.notprov"
+msgstr "Principal {0} does not exist"
+
+msgid "result.active"
+msgstr "Principal active (expires: {0}), password expires: {1}"
+
+msgid "result.expired"
+msgstr "Principal expired {0}, password expires: {1}"
+
+msgid "result.locked"
+msgstr "Principal locked (expires: {0}, password expires {1})"
+
+msgid "result.locked-p"
+msgstr "Principal {0} is locked"
+
+msgid "result.pwexpired"
+# Note we swap the rendering order to make it more obvious, but the _parameter_ order is unchanged
+msgstr "Password expired {1}, Principal active (expires: {0})"
+
+msgid "result.synced"
+msgstr "Synced existing principal {0}"

app/availableplugins/KerberosConnector/src/Controller/AppController.php

@@ -0,0 +1,10 @@
+<?php
+declare(strict_types=1);
+
+namespace KerberosConnector\Controller;
+
+use App\Controller\AppController as BaseController;
+
+class AppController extends BaseController
+{
+}

app/availableplugins/KerberosConnector/src/Controller/KerberosProvisionersController.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * COmanage Registry Kerberos Provisioners Controller
+ *
+ * Portions licensed to the University Corporation for Advanced Internet
+ * Development, Inc. ("UCAID") under one or more contributor license agreements.
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @link          https://www.internet2.edu/comanage COmanage Project
+ * @package       registry-plugins
+ * @since         COmanage Registry v5.2.0
+ * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ */
+
+declare(strict_types=1);
+
+namespace KerberosConnector\Controller;
+
+use App\Controller\StandardPluginController;
+
+class KerberosProvisionersController extends StandardPluginController {
+  protected array $paginate = [
+    'order' => [
+      'KerberosProvisioners.id' => 'asc'
+    ]
+  ];
+}

app/availableplugins/KerberosConnector/src/Controller/KerberosServersController.php

@@ -0,0 +1,40 @@
+<?php
+/**
+ * COmanage Registry Kerberos Servers Controller
+ *
+ * Portions licensed to the University Corporation for Advanced Internet
+ * Development, Inc. ("UCAID") under one or more contributor license agreements.
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @link          https://www.internet2.edu/comanage COmanage Project
+ * @package       registry-plugins
+ * @since         COmanage Registry v5.2.0
+ * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ */
+
+declare(strict_types=1);
+
+namespace KerberosConnector\Controller;
+
+use App\Controller\StandardPluginController;
+
+class KerberosServersController extends StandardPluginController {
+  protected array $paginate = [
+    'order' => [
+      'KerberosServers.hostname' => 'asc'
+    ]
+  ];
+}

app/availableplugins/KerberosConnector/src/KerberosConnectorPlugin.php

@@ -0,0 +1,98 @@
+<?php
+declare(strict_types=1);
+
+namespace KerberosConnector;
+
+use Cake\Console\CommandCollection;
+use Cake\Core\BasePlugin;
+use Cake\Core\ContainerInterface;
+use Cake\Core\PluginApplicationInterface;
+use Cake\Http\MiddlewareQueue;
+use Cake\Routing\RouteBuilder;
+
+/**
+ * Plugin for KerberosConnector
+ */
+class KerberosConnectorPlugin extends BasePlugin
+{
+    /**
+     * Load all the plugin configuration and bootstrap logic.
+     *
+     * The host application is provided as an argument. This allows you to load
+     * additional plugin dependencies, or attach events.
+     *
+     * @param \Cake\Core\PluginApplicationInterface $app The host application
+     * @return void
+     */
+    public function bootstrap(PluginApplicationInterface $app): void
+    {
+        // remove this method hook if you don't need it
+    }
+
+    /**
+     * Add routes for the plugin.
+     *
+     * If your plugin has many routes and you would like to isolate them into a separate file,
+     * you can create `$plugin/config/routes.php` and delete this method.
+     *
+     * @param \Cake\Routing\RouteBuilder $routes The route builder to update.
+     * @return void
+     */
+    public function routes(RouteBuilder $routes): void
+    {
+        // remove this method hook if you don't need it
+        $routes->plugin(
+            'KerberosConnector',
+            ['path' => '/kerberos-connector'],
+            function (RouteBuilder $builder) {
+                // Add custom routes here
+
+                $builder->fallbacks();
+            }
+        );
+        parent::routes($routes);
+    }
+
+    /**
+     * Add middleware for the plugin.
+     *
+     * @param \Cake\Http\MiddlewareQueue $middlewareQueue The middleware queue to update.
+     * @return \Cake\Http\MiddlewareQueue
+     */
+    public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
+    {
+        // Add your middlewares here
+        // remove this method hook if you don't need it
+
+        return $middlewareQueue;
+    }
+
+    /**
+     * Add commands for the plugin.
+     *
+     * @param \Cake\Console\CommandCollection $commands The command collection to update.
+     * @return \Cake\Console\CommandCollection
+     */
+    public function console(CommandCollection $commands): CommandCollection
+    {
+        // Add your commands here
+        // remove this method hook if you don't need it
+
+        $commands = parent::console($commands);
+
+        return $commands;
+    }
+
+    /**
+     * Register application container services.
+     *
+     * @param \Cake\Core\ContainerInterface $container The Container to update.
+     * @return void
+     * @link https://book.cakephp.org/5/en/development/dependency-injection.html#dependency-injection
+     */
+    public function services(ContainerInterface $container): void
+    {
+        // Add your services here
+        // remove this method hook if you don't need it
+    }
+}

app/availableplugins/KerberosConnector/src/Model/Entity/KerberosProvisioner.php

@@ -0,0 +1,51 @@
+<?php
+/**
+ * COmanage Registry Kerberos Provisioner Table
+ *
+ * Portions licensed to the University Corporation for Advanced Internet
+ * Development, Inc. ("UCAID") under one or more contributor license agreements.
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * UCAID licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with the
+ * License. You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * @link          https://www.internet2.edu/comanage COmanage Project
+ * @package       registry-plugins
+ * @since         COmanage Registry v5.2.0
+ * @license       Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ */
+
+declare(strict_types=1);
+
+namespace KerberosConnector\Model\Entity;
+
+use Cake\ORM\Entity;
+
+class KerberosProvisioner extends Entity {
+  use \App\Lib\Traits\EntityMetaTrait;
+
+  /**
+   * Fields that can be mass assigned using newEntity() or patchEntity().
+   *
+   * Note that when '*' is set to true, this allows all unspecified fields to
+   * be mass assigned. For security purposes, it is advised to set '*' to false
+   * (or remove it), and explicitly make individual fields accessible as needed.
+   *
+   * @var array<string, bool>
+   */
+  protected array $_accessible = [
+    '*' => true,
+    'id' => false,
+    'slug' => false,
+  ];
+}