CloudPlugin Interface

In order to achieve the tasks it was designed for, the IdMM_Cloud agent uses a plugin-based system. The agent’s dynamic frame contains a list of plugins. When a request arrives from any other agent the IdMMCloud agent will attempt to find the appropriate

cloud plugin and complete the task. Figure 4.37 shows the structure of aCloudPlugin.

Each plugin contains a unique id. For authentication, de-authentication and attribute synchronization, two different cases are considered. If the provider supports some open API for these tasks (e.g. customized APIs, SAML authentication mechanisms) then these APIs will be used. If there are no APIs available then a generic method is used.

The markergenericis used to distinguish between the two mechanisms. The function matchService is used to match a service to a plugin. The functions returns true if the plugin can be used with a given service (specified as a parameter).

universe CloudPlugin

function id: CloudPlugin → STRING function generic: CloudPlugin → BOOLEAN

function matchService: CloudPlugin * Service → BOOLEAN

function mapClientAttrsToCloud: CloudPlugin * LIST * Method → LIST//<Attr>

function requestAuthParameters: CloudPlugin * STRING → ELEMENT function parseAuthParameters: CloudPlugin * ELEMENT → CloudService

function requestGenericAuthentication: CloudPlugin * CloudService → ELEMENT function parseGenericAuthentication: CloudPlugin * ELEMENT → BOOLEAN

function makeAPIAuthentication: CloudPlugin * Service * LIST→BOOLEAN function triggerProtocolLogin: CloudPlugin → ELEMENT

function requestGenericDeAuthentication: CloudPlugin * STRING → ELEMENT function parseGenericDeAuthentication: CloudPlugin * ELEMENT → BOOLEAN function makeAPIDeAuthentication: CloudPlugin * STRING → BOOLEAN function getSyncServices: CloudPlugin→LIST//<CloudService>

function requestGenericSync: CloudPlugin * CloudService → ELEMENT function parseGenericSync: CloudPlugin * ELEMENT → BOOLEAN function makeAPISync: CloudPlugin * CloudService → BOOLEAN function accountCreateService: CloudPlugin → CloudService

function requestAccountCreation: CloudPlugin * CloudService * LIST → ELEMENT function parseAccountCreation: CloudPlugin * ELEMENT → BOOLEAN

function accountRemoveService: CloudPlugin → CloudService

function requestAccountRemove: CloudPlugin * CloudService → ELEMENT function parseAccountRemove: CloudPlugin * ELEMENT → BOOLEAN function accountPasswordChange: CloudPlugin → CloudService

function requestPasswordChange: CloudPlugin * CloudService → STRING function parsePasswordChange: CloudPlugin * ELEMENT → BOOLEAN function hasCaptcha: CloudPlugin * ELEMENT → BOOLEAN

function getCaptcha: CloudPlugin * ELEMENT → Attr

function captchaService: CloudPlugin * ELEMENT → CloudService function requestSolveCaptcha: CloudPlugin * CloudService → ELEMENT function parseSolvedCaptcha: CloudPlugin * ELEMENT → CloudService

Figure 4.37: ASM Fragment for theCloudPluginInterface

In order to map the names of the attributes stored by the client with the names used by the cloud providers, the agent uses the functionmapClientAttrsToCloud. This function takes a list of attributes and a method type and returns the value-wise same list but where the names of the attributes have been replaced with the values required by the cloud service. For example, instead of using “username” and “password” as the names for the credentials, a service provider might choose to use “user” and “pass”. The result of themapClientAttrsToCloudfunction in this case will be a list where attribute names have been replaced from “username” and “password” to “user” and “pass” accordingly.

The functionrequestAuthParametersmakes a request to the authentication

serv-ice URI (represented by the STRING parameter) and retrieves the response from it.

If any network errors occur the function returns undef. This response is parsed using theparseAuthParameterswhich returns a CloudService with the required attributes for authentication. The function requestGenericAuthentication is used to make a generic authentication. As before,undef is returned on any network error. The function parse-GenericAuthentication is used to parse the response and returns true if the authen-tication succeeded or false if it failed. In case the cloud service provider supports an API-based authentication, the function makeAPIAuthentication is used for the au-thentication process. The function implements the appropriate API and returns true if the authentication succeeded. The function triggerProtocolLogin is used to trigger a protocol-based authentication. To perform the task of de-authentication the generic method uses the requestGenericDeAuthentication and parseGenericDeAuthentication functions. A request is made to the de-authentication URI and the result is the parsed.

In case of an API-based scenario the functionmakeAPIDeAuthenticationis used. Both makeAPIDeAuthentication and parseGenericDeAuthentication return true if the de-authentication process succeeded.

For attribute synchronization the function getSyncServices returns a list of all available synchronization points. This list contains one or moreCloudServices that rep-resent the synchronization services and the attributes required for the synchronization.

For each of these services the functionsrequestGenericSyncandparseGenericSyncor makeAPISyncare used. The result ofparseGenericSyncandmakeAPISyncis true if the synchronization process succeeded.

A plugin is also responsible for the creation and removal of cloud accounts as well as for password resets. The functionaccountCreateServicereturns the service re-sponsible for the creation of accounts. Once the identity-related information is added the functionrequestAccountCreationandparseAccountCreationare used to create the account with the latter function returning true if the process succeeded. To remove an account the function accountRemoveService returns the CloudService responsible for removing the account, while the functions requestAccountRemove and parseAc-countRemoveare responsible for removing the account. To change the password of an account the function accountPasswordChange returns the CloudServicefor password resets while the functionsrequestPasswordChangeandparsePasswordChangeperform the password reset.

In many cases, particularly in Software as a Service (SaaS), cloud service provid-ers will ask for captchas to prove that the interaction occurs between them and a human beeing (as opposed to an automated process). A captcha, short for “Completely Auto-mated Public Turing test to tell Computers and Humans Apart” is specifically designed to interfere with automated processes. As such, the IdMM must be able to identify captcha messages and prompt the user to solve them. The functionhasCaptchaparses a response from a cloud service and determines if it contains a captcha message. The functiongetCaptchais then used to extract the puzzle from it, which will then be dis-played to the user. The input will then be added to the correspondingCloudServiceand the request re-executed. In case the solving of the captcha has to be made indepen-dent of the request, the function captchaService is used to retrieve the corresponding CloudServiceand the functionsrequestSolveCaptchaandparseSolvedCaptchaare used to solve the captcha.