Layer 7 API Management

Expand all | Collapse all

Layer7 API Gateway - REST API - Adding new user

Jump to Best Answer
  • 1.  Layer7 API Gateway - REST API - Adding new user

    Posted 08-09-2019 05:06 AM
    Hello everyone,

    we need to automate the process of new user creation in our Identity provider which keeps client certificates. It was created as Federated Identity Provider. So I checked what are the options and according to documentation ( /restman/1.0/doc/restDoc.html#1.0/identityProviders ) it is possible only to create new users in Internal identity provider. can someone verify this info? Is there really no way how to use REST API for creation of a new user in other then Internal Identity store? We are expecting high number of new customers and we need to automate the process. Do I really have to save client certificates in database and create Policy-Backed Identity Provider?

    One more thing. Where can I find how body should look like for all REST API calls. In restDoc there are no sample calls.

    Thanks for your ideas.

    ------------------------------
    Regards,

    Robert
    ------------------------------


  • 2.  RE: Layer7 API Gateway - REST API - Adding new user
    Best Answer

    Posted 08-13-2019 07:54 AM
    Hi Robert,
    As far as I know, it can only be created for internal internal identity provider (but I am not sure, because you can define the identityProvider ID in the POST call). What you could do is create a policy backed idp or create a service, which just calls the right ldap commands for creating a user. 
    For the documentation of restman: Yeah, we know the pain. What helps you for getting the body part is the "template" command. In this case you can call "/restman/1.0/users/template". With this you will get the body part for the POST/PUT command. 
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <l7:Item xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
        <l7:Name>USER Template</l7:Name>
        <l7:Type>USER</l7:Type>
        <l7:TimeStamp>2019-08-13T11:51:33.220Z</l7:TimeStamp>
        <l7:Link rel="self" uri="https://591064cc7106:8443/restman/1.0/identityProviders/0000000000000000fffffffffffffffe/users/template"/>
        <l7:Link rel="list" uri="https://591064cc7106:8443/restman/1.0/identityProviders/0000000000000000fffffffffffffffe/users"/>
        <l7:Resource>
            <l7:User providerId="0000000000000000fffffffffffffffe">
                <l7:Login>Login</l7:Login>
            </l7:User>
        </l7:Resource>
    </l7:Item>

    Unfortunately the template-command is not complete for every edge case. You have to find this on your own, because the documentation isn't complete. 

    Best,
    Waldemar

    ------------------------------
    Product Manager
    APIIDA AG
    ------------------------------



  • 3.  RE: Layer7 API Gateway - REST API - Adding new user

    Posted 08-16-2019 08:59 AM
    Hello Waldemar,

    thanks for your help. My original idea was to create a policy-backed identity provider, but with using Oracle DB which I have at disposal right away and I am using it anyway for other purposes.
    My another problem is that I want to save in DB client certificate, but also as a separate field a thumbprint in SHA1 in hexa format. In policy I can extract thumbprintSHA1 from certificate, but it is Base64 encoded. So my problem is how to convert it from Base64 to Hexa format.
    I have tried to use Base64 decode assertion on thumbrintSHA1 and save result as ASCII and then use Base16 encode assertion. Unfortuanately the result differs from the one I can see in certificate. Even when I try to decode thumbrintSHA1 from Base64 to Hex on some online web, the result it displays is correct, but on API GW I get wrong result. Of course I can save in database thumbprint in Base64, but I would prefer having it in Hex. Any idea how to solve it?

    ------------------------------
    Regards,

    Robert
    ------------------------------



  • 4.  RE: Layer7 API Gateway - REST API - Adding new user

    Posted 08-21-2019 05:56 AM
    Hi,
    From our admin framework:

    function createUser {
      TEMP=$(getopt -o ci:sn:f:l:p:m:ed --long cert:,name:,password:,formatpwd:,firstname:,lastname:,email:,id:,enable,disable,expire:,unexpire -n 'createUser' -- "$@")
      if [ $? != 0 ] ; then echo "Terminating..." >&2 ; return 0 ; fi
      eval set -- "$TEMP"
    
      local cmdRun="/users"
      local cmdArgs=""
      local userName=""
      local userId=""
      local certPEM=""
      local prov=""
      local firstName=""
      local lastName=""
      local userEmail=""
      local formatPwd="sha512crypt"  # default
      local enableUser="true"  # default
      local expireUser="-1"    # default
      while true; do
        case "$1" in
          -n | --name)      userName="$2"; shift 2 ;;
          -i | --id)        userId="$2"; idArg="id="$userId"" shift 2 ;;
          -c | --cert)      certPEM="$2"; shift 2 ;;
          --password)       Password="$2"; shift 2 ;;
          --formatpwd)      formatPwd="$2"; shift 2 ;;
          -f | --firstname) firstName="$2"; shift 2 ;;
          -l | --lastname)  lastName="$2"; shift 2 ;;
          -m | --email)     userEmail="$2"; shift 2 ;;
          -e | --enable)    enableUser="true"; shift ;;
          -d | --disable)   enableUser="false"; shift ;;
          --unexpire)       expireUser="-1"; shift ;;
          --expire)         expireUser="$2"; shift 2 ;;
          --) shift; break ;;
          *) break ;;
        esac
      done
    
      [ -n "$1" ] && userName="$1"
      [ -n "$2" ] && Password="$2"
      [ -n "$3" ] && formatPwd="$3"
      [ -n "$4" ] && firstName="$4"
      [ -n "$5" ] && lastName="$5"
      [ -n "$6" ] && userEmail="$6"
    
      [ -z "$userName" ] && echo "Missing parameters" && return 0
      getUsers
      local userCount=$(getXPathCount "/l7:List/l7:Item[l7:Name='${userName}']")
    
      if [[ "${userCount}" == "0" ]]; then
        local xml="\
      <l7:User providerId='${internalIdentityProviderId}' ${idArg} xmlns:l7='http://ns.l7tech.com/2010/04/gateway-management'> \
         <l7:Login>${userName}</l7:Login> \
         <l7:Password format='${formatPwd}'>${Password}</l7:Password> \
         <l7:FirstName>${firstName}</l7:FirstName> \
         <l7:LastName>${lastName}</l7:LastName> \
         <l7:Email>${userEmail}</l7:Email> \
         <l7:Properties> \
            <l7:Property key='accountExpiration'> \
             <l7:LongValue>${expireUser}</l7:LongValue> \
            </l7:Property> \
            <l7:Property key='enabled'> \
             <l7:BooleanValue>${enableUser}</l7:BooleanValue> \
            </l7:Property> \
            <l7:Property key='name'> \
             <l7:StringValue>${userName}</l7:StringValue> \
            </l7:Property> \
         </l7:Properties> \
      </l7:User>"
        callPOSTService "${cmdRun}" "${xml}"
    
        local c=$(getXPathCount "/l7:Item/l7:Name")
        local val=$(getXPathText "/l7:Item/l7:Id")
    
        if [[ "$c" > "0" ]]; then
          [ -n "${DEBUG}" ] && echo " -> User '${userName}' created with id '${val}'" >&2
          return 1
        else
          echo "**** Error creating ${userName}"
          displayError
          return 0
        fi
      else
        echo "Error user ${userName} already exists"
        return 0
      fi
    }


    For certificate:

    function setUserCertificate {
      TEMP=`getopt -o i:n:dc:p: --long name:,id:,cert:,provider:,delete -n 'setUserCertificate' -- "$@"`
      if [ $? != 0 ] ; then echo "Terminating..." >&2 ; return 0 ; fi
      eval set -- "$TEMP"
    
      local cmdRun="/users"
      local cmdArgs=""
      local userName=""
      local deleteCert=0
      local prov=""
      local certPEM=""
      while true; do
        case "$1" in
          -i | --id)       cmdRun+="/$2"; userId="$2"; shift 2 ;;
          -n | --name)     userName="$2"; userId="$(getUserId "$userName")"; shift 2 ;;
          -d | --delete)   deleteCert=1; shift ;;
          -c | --cert)     certPEM="$2"; shift 2 ;;
          -p | --provider) prov="$(getIdentityProviderId "$2")"; shift 2 ;;
          --) shift; break ;;
          *) break ;;
        esac
      done
    
      [ -n "$1" ] && userName="$1" && userId="$(getUserId "$userName")"
      [ -n "$2" ] && certPEM="$2"
    
      prov=""  # FIXME only on internal identiry
      cmdRun="${prov:-${IDENTPROV}}${cmdRun}/${userId}/certificate"
      [ -n "${cmdArgs}" ] && cmdRun+="?${cmdArgs}"
      [ -z "$userName" ] && userName=$(getUserById "$userId")
    
      if [ -n "${userId}" ]; then
        [ $deleteCert == 1 ] && removeUserCertificate "${userName}"
        local xml="\
      <l7:CertificateData xmlns:l7='http://ns.l7tech.com/2010/04/gateway-management'> \
         <l7:Encoded>${certPEM}</l7:Encoded> \
      </l7:CertificateData>"
        callPUTService "${cmdRun}" "${xml}"
        local c=$(getXPathCount "/l7:Item/l7:Name")
        return ${c}
      fi
      return 0
    }
    ​



  • 5.  RE: Layer7 API Gateway - REST API - Adding new user

    Posted 08-22-2019 03:58 AM
    Hello Philippe,

    I just don't know how to use this code. The format of body for adding new user I have found earlier, but it was working for me from POSTMAN only when I was adding new user to Internal Identity Provider. But it seems that there is no option to use REST API for adding new user to other identity provider created by me, which is quite disappointing. So I decided to use database otherwise I would have to apply for some LDAP server which may take some time.

    ------------------------------
    Regards,

    Robert
    ------------------------------