Improved New-SgwAccount when used with SSO enabled

ffeldhaus · ffeldhaus · commit 6a8bd92bebec · 2019-03-15T23:17:15.000+01:00
diff --git a/src/StorageGRID-Webscale.psm1 b/src/StorageGRID-Webscale.psm1
@@ -3093,8 +3093,8 @@ function Global:New-SgwAccount {
         if (!$Server) {
             Throw "No StorageGRID admin node management server found. Please run Connect-SgwServer to continue."
         }
-        if ($Server.APIVersion -ge 2 -and !$Password) {
-            Throw "Password required"
+        if ($Server.APIVersion -ge 2 -and !$Password -and !$GrantRootAccessToGroup) {
+            Throw "Password or GrantRootAccessToGroup required"
         }
         if ($Server.APIVersion -lt 2 -and ($Quota -or $Password)) {
             Write-Warning "Quota and password will be ignored in API Version $( $Server.APIVersion )"
@@ -3116,6 +3116,11 @@ function Global:New-SgwAccount {
                 Throw "Password does not meet minimum length requirement of 8 characters"
             }
         }
+
+        if ($Server.UseSso -and !$GrantRootAccessToGroup) {
+            Write-Warning "SSO is enabled, you must specify a group for root access using -GrantRootAccessToGroup"
+            Throw "SSO is enabled, you must specify a group for root access using -GrantRootAccessToGroup"
+    }
     }
 
     Process {
@@ -3139,7 +3144,11 @@ function Global:New-SgwAccount {
         }
         if ($Server.ApiVersion -ge 3) {
             if ($GrantRootAccessToGroup) {
-                $Body.grantRootAccessToGroup = $grantRootAccessToGroup
+                $Body.policy.useAccountIdentitySource = $false
+                if ($GrantRootAccessToGroup -notmatch 'federated-group/') {
+                    $GrantRootAccessToGroup = 'federated-group/' + $GrantRootAccessToGroup
+                }
+                $Body.grantRootAccessToGroup = $GrantRootAccessToGroup
             }
         }
 
@@ -4286,7 +4295,8 @@ function global:Connect-SgwServer {
             TemporaryAccessKeyExpirationTime = $TemporaryAccessKeyExpirationTime;
             AccessKeyStore = @{ };
             AccountId = "";
-            TenantPortal = ""
+            TenantPortal = "";
+            UseSso = $False;
         }
 
         if ([environment]::OSVersion.Platform -match "Win") {
@@ -4594,6 +4604,8 @@ function global:Invoke-SgwServerSsoAuthentication {
         $Server.Headers["Authorization"] = "Bearer $( $Content.data )"
         $Server.Session = $StorageGridSession
 
+        $Server.UseSso = $True
+
         Write-Output $Server
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -3093,8 +3093,8 @@ function Global:New-SgwAccount {`
`3093`	`3093`	`if (!$Server) {`
`3094`	`3094`	`Throw "No StorageGRID admin node management server found. Please run Connect-SgwServer to continue."`
`3095`	`3095`	`}`
`3096`		`- if ($Server.APIVersion -ge 2 -and !$Password) {`
`3097`		`- Throw "Password required"`
	`3096`	`+ if ($Server.APIVersion -ge 2 -and !$Password -and !$GrantRootAccessToGroup) {`
	`3097`	`+ Throw "Password or GrantRootAccessToGroup required"`
`3098`	`3098`	`}`
`3099`	`3099`	`if ($Server.APIVersion -lt 2 -and ($Quota -or $Password)) {`
`3100`	`3100`	`Write-Warning "Quota and password will be ignored in API Version $( $Server.APIVersion )"`
`@@ -3116,6 +3116,11 @@ function Global:New-SgwAccount {`
`3116`	`3116`	`Throw "Password does not meet minimum length requirement of 8 characters"`
`3117`	`3117`	`}`
`3118`	`3118`	`}`
	`3119`	`+`
	`3120`	`+ if ($Server.UseSso -and !$GrantRootAccessToGroup) {`
	`3121`	`+ Write-Warning "SSO is enabled, you must specify a group for root access using -GrantRootAccessToGroup"`
	`3122`	`+ Throw "SSO is enabled, you must specify a group for root access using -GrantRootAccessToGroup"`
	`3123`	`+ }`
`3119`	`3124`	`}`
`3120`	`3125`
`3121`	`3126`	`Process {`
`@@ -3139,7 +3144,11 @@ function Global:New-SgwAccount {`
`3139`	`3144`	`}`
`3140`	`3145`	`if ($Server.ApiVersion -ge 3) {`
`3141`	`3146`	`if ($GrantRootAccessToGroup) {`
`3142`		`- $Body.grantRootAccessToGroup = $grantRootAccessToGroup`
	`3147`	`+ $Body.policy.useAccountIdentitySource = $false`
	`3148`	`+ if ($GrantRootAccessToGroup -notmatch 'federated-group/') {`
	`3149`	`+ $GrantRootAccessToGroup = 'federated-group/' + $GrantRootAccessToGroup`
	`3150`	`+ }`
	`3151`	`+ $Body.grantRootAccessToGroup = $GrantRootAccessToGroup`
`3143`	`3152`	`}`
`3144`	`3153`	`}`
`3145`	`3154`
`@@ -4286,7 +4295,8 @@ function global:Connect-SgwServer {`
`4286`	`4295`	`TemporaryAccessKeyExpirationTime = $TemporaryAccessKeyExpirationTime;`
`4287`	`4296`	`AccessKeyStore = @{ };`
`4288`	`4297`	`AccountId = "";`
`4289`		`- TenantPortal = ""`
	`4298`	`+ TenantPortal = "";`
	`4299`	`+ UseSso = $False;`
`4290`	`4300`	`}`
`4291`	`4301`
`4292`	`4302`	`if ([environment]::OSVersion.Platform -match "Win") {`
`@@ -4594,6 +4604,8 @@ function global:Invoke-SgwServerSsoAuthentication {`
`4594`	`4604`	`$Server.Headers["Authorization"] = "Bearer $( $Content.data )"`
`4595`	`4605`	`$Server.Session = $StorageGridSession`
`4596`	`4606`
	`4607`	`+ $Server.UseSso = $True`
	`4608`	`+`
`4597`	`4609`	`Write-Output $Server`
`4598`	`4610`	`}`
`4599`	`4611`	`}`