ipsilon.git, branch non-empty-attrs Unnamed repository; edit this file 'description' to name the repository. Assertion AttributeStatements must be non-empty 2015-03-18T21:14:07+00:00 John Dennis jdennis@redhat.com 2015-03-18T21:14:07+00:00 8473dd1abcfb4ad92a4700a7715246b207ae1323 The saml-core-2.0-os specification section 2.7.3 requires the AttributeStatement element to be non-empty. Shibboleth verifies this and rejects assertions that do not comply. We gather attributes into a local dict first before adding them to the AttributeStatement so the fix is easy. Test if the dict is empty, move the initialization of the assertion AttributeStatement inside the test so it's conditional on whether the dict has members. Fixes: https://fedorahosted.org/ipsilon/ticket/61 Signed-off-by: John Dennis <jdennis@redhat.com> 
The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.

Fixes: https://fedorahosted.org/ipsilon/ticket/61
Signed-off-by: John Dennis <jdennis@redhat.com>
Properly handle groups info in SAML provider 2015-03-18T00:38:27+00:00 Simo Sorce simo@redhat.com 2015-03-17T17:22:06+00:00 acd6db64e46c8fa5b93c07dc5ff5c5172ddfa4f6 Also removes internal attributes (any attribute that starts with _ Fixes: https://fedorahosted.org/ipsilon/ticket/71 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Also removes internal attributes (any attribute that starts with _

Fixes: https://fedorahosted.org/ipsilon/ticket/71

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Add negative authentication test 2015-03-18T00:37:55+00:00 Simo Sorce simo@redhat.com 2015-03-18T00:18:21+00:00 2b9b1190fdca8dc94d0a7d7f5f00d8084f729127 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Fix error returned from login plugins 2015-03-18T00:37:19+00:00 Simo Sorce simo@redhat.com 2015-03-17T23:01:59+00:00 0b40c36998ed29c7e98a8cf5f42a798e0bec0870 Some login plugins use form based authentication and let the user retry on authentication errors. This is fine, however the wrong error code is returned in this case, 401 should be returned. Fixes: https://fedorahosted.org/ipsilon/ticket/94 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Some login plugins use form based authentication and let the user retry
on authentication errors. This is fine, however the wrong error code is
returned in this case, 401 should be returned.

Fixes: https://fedorahosted.org/ipsilon/ticket/94

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Make SSSD Info enable the httpd_dbus_sssd boolean. 2015-03-17T14:52:25+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-03-16T14:07:41+00:00 b6cf2a56cf951b059e2755742522413c304e858e https://fedorahosted.org/ipsilon/ticket/23#comment:13 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
https://fedorahosted.org/ipsilon/ticket/23#comment:13

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Build dated RPMs by default 2015-03-16T21:47:50+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-03-16T14:16:03+00:00 cd855ea000e6baa994423c486779935bd02a6426 This stores the build date and git commit in the version. This way, it's a lot easier to determine when it was last built. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This stores the build date and git commit in the version.
This way, it's a lot easier to determine when it was last built.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Save user attributes on subsequent calls to login. 2015-03-16T21:18:13+00:00 Rob Crittenden rcritten@redhat.com 2015-03-16T18:34:24+00:00 2667fc13306912d4a1481e495181679012255ef6 When a login comes in via the remote_login() call no user attributes are set. These may be later filled in by a subsequent call to login() after the info plugins are called but a short-circuit in that function exits if the user matches the current session. Add an extra conditional such that if the user matches, userattributes are passed in and the current user attributes for this user is empty then save the new data. https://fedorahosted.org/ipsilon/ticket/86 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
When a login comes in via the remote_login() call no
user attributes are set. These may be later filled in by
a subsequent call to login() after the info plugins are
called but a short-circuit in that function exits if the
user matches the current session.

Add an extra conditional such that if the user matches,
userattributes are passed in and the current user attributes
for this user is empty then save the new data.

https://fedorahosted.org/ipsilon/ticket/86

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Use the IPA API directly when adding the HTTP principal 2015-03-16T21:13:23+00:00 Rob Crittenden rcritten@redhat.com 2015-03-13T18:56:26+00:00 8236943374c978a8f9dc6142daac58ee0201f991 This is the only way to force in a custom version string so that the remote IPA server doesn't reject the request as being newer than the server. This also removes the need to iterate over all servers as the IPA connection API does this automatically. https://fedorahosted.org/ipsilon/ticket/47 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
This is the only way to force in a custom version string
so that the remote IPA server doesn't reject the request
as being newer than the server.

This also removes the need to iterate over all servers
as the IPA connection API does this automatically.

https://fedorahosted.org/ipsilon/ticket/47

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Fix some pylint warnings in logout test about shadowing variables. 2015-03-16T20:54:15+00:00 Rob Crittenden rcritten@redhat.com 2015-03-16T20:39:02+00:00 bae1c5592da11f1fb2b9930730cf6acae942f3dc Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Add test for multi-SP logout 2015-03-16T17:47:45+00:00 Rob Crittenden rcritten@redhat.com 2015-03-04T22:49:40+00:00 e46c8f615f867d09ce76ee269b0ba81445ad320b Create an additional SP, log into one, fetch the other and the client is now logged into both. Log out of the first one and the client is logged out of both. https://fedorahosted.org/ipsilon/ticket/58 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Create an additional SP, log into one, fetch the other and
the client is now logged into both. Log out of the first one
and the client is logged out of both.

https://fedorahosted.org/ipsilon/ticket/58

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>