ipsilon.git/ipsilon/providers/saml2, branch ecp Unnamed repository; edit this file 'description' to name the repository. Implement ECP in Ipsilon 2015-08-27T12:07:26+00:00 John Dennis jdennis@redhat.com 2015-01-26T21:04:40+00:00 665977900bda4e252e2f8895c986767e4bbba5a6 * add saml2/SSO/SOAP endpoint. * add check for lasso version, ECP endpoint only exposed in metadata if lasso has full ECP support. * add SSO_SOAP soap authentication handler (used for ECP). * add SAML binding to transaction so we can determine if cookies and other HTTP concepts are expected. Each handler is responsible for setting the binding. * add some constants needed for ECP Signed-off-by: John Dennis <jdennis@redhat.com> 
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
  if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
  and other HTTP concepts are expected. Each handler is responsible
  for setting the binding.
* add some constants needed for ECP

Signed-off-by: John Dennis <jdennis@redhat.com>
Log a message when authentication is successful but doesn't 2015-08-25T12:55:28+00:00 Rob Crittenden rcritten@redhat.com 2015-08-24T17:42:19+00:00 ea3a3c63719961c66b7b45cd7cfee51cf4bd5f6d match the NameID required by the SAML request. https://fedorahosted.org/ipsilon/ticket/157 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
match the NameID required by the SAML request.

https://fedorahosted.org/ipsilon/ticket/157

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Fix permission check on SP update 2015-08-21T13:45:00+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-08-18T14:26:50+00:00 826e6339441546f596320f3d73304ab5f7c10de6 The permission check for owner was checking the wrong field, which would make it possible for anyone to update the Service Provider owner, making it possible for anyone to change the SP owner, allowing anyone to change the SP name. Fixes: CVE-2015-5217 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
The permission check for owner was checking the wrong field,
which would make it possible for anyone to update the Service
Provider owner, making it possible for anyone to change the
SP owner, allowing anyone to change the SP name.

Fixes: CVE-2015-5217

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Drop all the calls to .keys() when iterating on the keys of a dict 2015-08-11T10:08:50+00:00 Pierre-Yves Chibon pingou@pingoured.fr 2015-07-28T11:19:49+00:00 ce2bbec3f2a010cfa26363a91a6224efe484f06f When browsing the keys of a dictionary, you can use the ``.keys()`` method but that is in fact only really useful if you want to store the list of keys first and act on them (like sorting them or so). If you just want to iterate through all the keys, no matter the order, then it is much much faster to just do: ``for key in dict`` Some stats about this can be found there: http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr> Reviewed-by: Simo Sorce <simo@redhat.com> 
When browsing the keys of a dictionary, you can use the ``.keys()`` method but
that is in fact only really useful if you want to store the list of keys first
and act on them (like sorting them or so).
If you just want to iterate through all the keys, no matter the order, then it
is much much faster to just do: ``for key in dict``

Some stats about this can be found there:
http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Reviewed-by: Simo Sorce <simo@redhat.com>
Add support for logout over SOAP 2015-07-16T13:04:36+00:00 Rob Crittenden rcritten@redhat.com 2015-06-25T15:00:59+00:00 2751451f4158417e66974d6415d2da84f612ab3c As each login session comes in, store the supported logout mechanisms in the SP metadata. Upon a logout request, loop through all of those SP's that support SOAP and log those out first, then log out any remaining sessions using HTTP Redirect. https://fedorahosted.org/ipsilon/ticket/59 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
As each login session comes in, store the supported logout
mechanisms in the SP metadata.

Upon a logout request, loop through all of those SP's that
support SOAP and log those out first, then log out any
remaining sessions using HTTP Redirect.

https://fedorahosted.org/ipsilon/ticket/59

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Use plugin-specific configuration, better expiration 2015-05-11T22:39:31+00:00 Rob Crittenden rcritten@redhat.com 2015-05-11T22:14:42+00:00 8445b3297cd0b25989f2575c21bf3426aee7c5ad Use a SAML2 plugin specific option to specify the database uri for sessions. Use a much more robust method to find sessions that need expiration (thanks Patrick). https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Use a SAML2 plugin specific option to specify the database uri
for sessions.

Use a much more robust method to find sessions that need
expiration (thanks Patrick).

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Remove expired SAML2 sessions 2015-05-11T22:39:28+00:00 Rob Crittenden rcritten@redhat.com 2015-04-20T20:44:41+00:00 6437f6c9385e5e59cb21de7a3addedd904ee2825 Run a cherrypy background task to sift through the sessions database and find expired entries and remove them. From my testing if a previous execution of the background task is still executing when the next one is scheduled to run, it will skip it. In other words, you can't end up with multiple expirations running at the same time. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Run a cherrypy background task to sift through the sessions
database and find expired entries and remove them.

From my testing if a previous execution of the background task
is still executing when the next one is scheduled to run, it will
skip it. In other words, you can't end up with multiple expirations
running at the same time.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Convert logout code to use SAML2 Store 2015-05-11T22:39:22+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:40:30+00:00 93c25cc530a6c1b166af729e7a95ffd2f5a6a4d4 This is functionally the same. The primary differences are: - When logging out, fetch all requested session indexes in the LogoutRequest. - Store the LogoutRequest request ID to be used later when a LogoutResponse is received to look up the logout. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
This is functionally the same. The primary differences are:

- When logging out, fetch all requested session indexes in the
  LogoutRequest.
- Store the LogoutRequest request ID to be used later when a
  LogoutResponse is received to look up the logout.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Create a SAML2 session during login 2015-05-11T22:39:14+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:38:14+00:00 b8325ea0ff101ea90596b122ae3e58ea37725d09 Use the updated session API to create a SAML2 session. Note that each session is stored discretely. Previously if a session for a provider already existed then that one session held all the session indexes. Now if a new session comes in it is added separately. During logout all sessions for a provider are retrieved and all logged-in sessions sent to the SP to log out. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Use the updated session API to create a SAML2 session.
Note that each session is stored discretely. Previously if
a session for a provider already existed then that one session
held all the session indexes. Now if a new session comes in
it is added separately. During logout all sessions for a provider
are retrieved and all logged-in sessions sent to the SP to
log out.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Change SAML2 sessions backend to use Store API 2015-05-11T22:39:10+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:35:25+00:00 bc133a7cb4a319675e4bb577812c7475009175b7 The basic session API remains the same, just replace the calls to pull data out of the user session to instead pull from the database. The per-session logout state is now a constant rather than being a member of either the logged_in or logging_out dictionaries. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
The basic session API remains the same, just replace
the calls to pull data out of the user session to
instead pull from the database.

The per-session logout state is now a constant rather than
being a member of either the logged_in or logging_out
dictionaries.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>