Hi,
From our admin framework:
function createUser {
TEMP=$(getopt -o ci:sn:f:l:p:m:ed --long cert:,name:,password:,formatpwd:,firstname:,lastname:,email:,id:,enable,disable,expire:,unexpire -n 'createUser' -- "$@")
if [ $? != 0 ] ; then echo "Terminating..." >&2 ; return 0 ; fi
eval set -- "$TEMP"
local cmdRun="/users"
local cmdArgs=""
local userName=""
local userId=""
local certPEM=""
local prov=""
local firstName=""
local lastName=""
local userEmail=""
local formatPwd="sha512crypt" # default
local enableUser="true" # default
local expireUser="-1" # default
while true; do
case "$1" in
-n | --name) userName="$2"; shift 2 ;;
-i | --id) userId="$2"; idArg="id="$userId"" shift 2 ;;
-c | --cert) certPEM="$2"; shift 2 ;;
--password) Password="$2"; shift 2 ;;
--formatpwd) formatPwd="$2"; shift 2 ;;
-f | --firstname) firstName="$2"; shift 2 ;;
-l | --lastname) lastName="$2"; shift 2 ;;
-m | --email) userEmail="$2"; shift 2 ;;
-e | --enable) enableUser="true"; shift ;;
-d | --disable) enableUser="false"; shift ;;
--unexpire) expireUser="-1"; shift ;;
--expire) expireUser="$2"; shift 2 ;;
--) shift; break ;;
*) break ;;
esac
done
[ -n "$1" ] && userName="$1"
[ -n "$2" ] && Password="$2"
[ -n "$3" ] && formatPwd="$3"
[ -n "$4" ] && firstName="$4"
[ -n "$5" ] && lastName="$5"
[ -n "$6" ] && userEmail="$6"
[ -z "$userName" ] && echo "Missing parameters" && return 0
getUsers
local userCount=$(getXPathCount "/l7:List/l7:Item[l7:Name='${userName}']")
if [[ "${userCount}" == "0" ]]; then
local xml="\
<l7:User providerId='${internalIdentityProviderId}' ${idArg} xmlns:l7='http://ns.l7tech.com/2010/04/gateway-management'> \
<l7:Login>${userName}</l7:Login> \
<l7:Password format='${formatPwd}'>${Password}</l7:Password> \
<l7:FirstName>${firstName}</l7:FirstName> \
<l7:LastName>${lastName}</l7:LastName> \
<l7:Email>${userEmail}</l7:Email> \
<l7:Properties> \
<l7:Property key='accountExpiration'> \
<l7:LongValue>${expireUser}</l7:LongValue> \
</l7:Property> \
<l7:Property key='enabled'> \
<l7:BooleanValue>${enableUser}</l7:BooleanValue> \
</l7:Property> \
<l7:Property key='name'> \
<l7:StringValue>${userName}</l7:StringValue> \
</l7:Property> \
</l7:Properties> \
</l7:User>"
callPOSTService "${cmdRun}" "${xml}"
local c=$(getXPathCount "/l7:Item/l7:Name")
local val=$(getXPathText "/l7:Item/l7:Id")
if [[ "$c" > "0" ]]; then
[ -n "${DEBUG}" ] && echo " -> User '${userName}' created with id '${val}'" >&2
return 1
else
echo "**** Error creating ${userName}"
displayError
return 0
fi
else
echo "Error user ${userName} already exists"
return 0
fi
}
For certificate:
function setUserCertificate {
TEMP=`getopt -o i:n:dc:p: --long name:,id:,cert:,provider:,delete -n 'setUserCertificate' -- "$@"`
if [ $? != 0 ] ; then echo "Terminating..." >&2 ; return 0 ; fi
eval set -- "$TEMP"
local cmdRun="/users"
local cmdArgs=""
local userName=""
local deleteCert=0
local prov=""
local certPEM=""
while true; do
case "$1" in
-i | --id) cmdRun+="/$2"; userId="$2"; shift 2 ;;
-n | --name) userName="$2"; userId="$(getUserId "$userName")"; shift 2 ;;
-d | --delete) deleteCert=1; shift ;;
-c | --cert) certPEM="$2"; shift 2 ;;
-p | --provider) prov="$(getIdentityProviderId "$2")"; shift 2 ;;
--) shift; break ;;
*) break ;;
esac
done
[ -n "$1" ] && userName="$1" && userId="$(getUserId "$userName")"
[ -n "$2" ] && certPEM="$2"
prov="" # FIXME only on internal identiry
cmdRun="${prov:-${IDENTPROV}}${cmdRun}/${userId}/certificate"
[ -n "${cmdArgs}" ] && cmdRun+="?${cmdArgs}"
[ -z "$userName" ] && userName=$(getUserById "$userId")
if [ -n "${userId}" ]; then
[ $deleteCert == 1 ] && removeUserCertificate "${userName}"
local xml="\
<l7:CertificateData xmlns:l7='http://ns.l7tech.com/2010/04/gateway-management'> \
<l7:Encoded>${certPEM}</l7:Encoded> \
</l7:CertificateData>"
callPUTService "${cmdRun}" "${xml}"
local c=$(getXPathCount "/l7:Item/l7:Name")
return ${c}
fi
return 0
}
Original Message:
Sent: 08-16-2019 08:59 AM
From: Lipa
Subject: Layer7 API Gateway - REST API - Adding new user
Hello Waldemar,
thanks for your help. My original idea was to create a policy-backed identity provider, but with using Oracle DB which I have at disposal right away and I am using it anyway for other purposes.
My another problem is that I want to save in DB client certificate, but also as a separate field a thumbprint in SHA1 in hexa format. In policy I can extract thumbprintSHA1 from certificate, but it is Base64 encoded. So my problem is how to convert it from Base64 to Hexa format.
I have tried to use Base64 decode assertion on thumbrintSHA1 and save result as ASCII and then use Base16 encode assertion. Unfortuanately the result differs from the one I can see in certificate. Even when I try to decode thumbrintSHA1 from Base64 to Hex on some online web, the result it displays is correct, but on API GW I get wrong result. Of course I can save in database thumbprint in Base64, but I would prefer having it in Hex. Any idea how to solve it?
------------------------------
Regards,
Robert
Original Message:
Sent: 08-13-2019 07:53 AM
From: Waldemar Rosenfeld
Subject: Layer7 API Gateway - REST API - Adding new user
Hi Robert,
As far as I know, it can only be created for internal internal identity provider (but I am not sure, because you can define the identityProvider ID in the POST call). What you could do is create a policy backed idp or create a service, which just calls the right ldap commands for creating a user.
For the documentation of restman: Yeah, we know the pain. What helps you for getting the body part is the "template" command. In this case you can call "/restman/1.0/users/template". With this you will get the body part for the POST/PUT command.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><l7:Item xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management"> <l7:Name>USER Template</l7:Name> <l7:Type>USER</l7:Type> <l7:TimeStamp>2019-08-13T11:51:33.220Z</l7:TimeStamp> <l7:Link rel="self" uri="https://591064cc7106:8443/restman/1.0/identityProviders/0000000000000000fffffffffffffffe/users/template"/> <l7:Link rel="list" uri="https://591064cc7106:8443/restman/1.0/identityProviders/0000000000000000fffffffffffffffe/users"/> <l7:Resource> <l7:User providerId="0000000000000000fffffffffffffffe"> <l7:Login>Login</l7:Login> </l7:User> </l7:Resource></l7:Item>
Unfortunately the template-command is not complete for every edge case. You have to find this on your own, because the documentation isn't complete.
Best,
Waldemar
------------------------------
Product Manager
APIIDA AG
Original Message:
Sent: 08-09-2019 05:05 AM
From: Lipa
Subject: Layer7 API Gateway - REST API - Adding new user
Hello everyone,
we need to automate the process of new user creation in our Identity provider which keeps client certificates. It was created as Federated Identity Provider. So I checked what are the options and according to documentation ( /restman/1.0/doc/restDoc.html#1.0/identityProviders ) it is possible only to create new users in Internal identity provider. can someone verify this info? Is there really no way how to use REST API for creation of a new user in other then Internal Identity store? We are expecting high number of new customers and we need to automate the process. Do I really have to save client certificates in database and create Policy-Backed Identity Provider?
One more thing. Where can I find how body should look like for all REST API calls. In restDoc there are no sample calls.
Thanks for your ideas.
------------------------------
Regards,
Robert
------------------------------