ipsilon.git/ipsilon/providers, branch client-paos Unnamed repository; edit this file 'description' to name the repository. Log a message when authentication is successful but doesn't 2015-08-25T12:55:28+00:00 Rob Crittenden rcritten@redhat.com 2015-08-24T17:42:19+00:00 ea3a3c63719961c66b7b45cd7cfee51cf4bd5f6d match the NameID required by the SAML request. https://fedorahosted.org/ipsilon/ticket/157 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
match the NameID required by the SAML request.

https://fedorahosted.org/ipsilon/ticket/157

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Fix permission check on SP update 2015-08-21T13:45:00+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-08-18T14:26:50+00:00 826e6339441546f596320f3d73304ab5f7c10de6 The permission check for owner was checking the wrong field, which would make it possible for anyone to update the Service Provider owner, making it possible for anyone to change the SP owner, allowing anyone to change the SP name. Fixes: CVE-2015-5217 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
The permission check for owner was checking the wrong field,
which would make it possible for anyone to update the Service
Provider owner, making it possible for anyone to change the
SP owner, allowing anyone to change the SP name.

Fixes: CVE-2015-5217

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Only initialize the Persona IDP when actually enabled 2015-08-18T07:41:03+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-07-17T14:03:15+00:00 7b470b0e494a7ff5a088c3ead2e60754b67282f1 This has the same reasoning as the OpenID patch (commit ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally that it will otherwise error on loading the signing key. (This is not critical though as it will retry loading and succeed, this is just to make it not spit that error). Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This has the same reasoning as the OpenID patch (commit
ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally
that it will otherwise error on loading the signing key.
(This is not critical though as it will retry loading and
succeed, this is just to make it not spit that error).

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Drop all the calls to .keys() when iterating on the keys of a dict 2015-08-11T10:08:50+00:00 Pierre-Yves Chibon pingou@pingoured.fr 2015-07-28T11:19:49+00:00 ce2bbec3f2a010cfa26363a91a6224efe484f06f When browsing the keys of a dictionary, you can use the ``.keys()`` method but that is in fact only really useful if you want to store the list of keys first and act on them (like sorting them or so). If you just want to iterate through all the keys, no matter the order, then it is much much faster to just do: ``for key in dict`` Some stats about this can be found there: http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr> Reviewed-by: Simo Sorce <simo@redhat.com> 
When browsing the keys of a dictionary, you can use the ``.keys()`` method but
that is in fact only really useful if you want to store the list of keys first
and act on them (like sorting them or so).
If you just want to iterate through all the keys, no matter the order, then it
is much much faster to just do: ``for key in dict``

Some stats about this can be found there:
http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Reviewed-by: Simo Sorce <simo@redhat.com>
Only initialize the SAML IDP when actually enabled 2015-07-17T13:59:49+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-07-17T13:57:28+00:00 07ec779defce9b0fecf4da8c726d1b492c147626 This has the same reasoning as the OpenID patch (commit ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally that it will otherwise error on finding the metadata. (This is not critical though as it will retry loading and succeed, this is just to make it not spit that error). Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This has the same reasoning as the OpenID patch (commit
ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally
that it will otherwise error on finding the metadata.
(This is not critical though as it will retry loading and
succeed, this is just to make it not spit that error).

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add support for logout over SOAP 2015-07-16T13:04:36+00:00 Rob Crittenden rcritten@redhat.com 2015-06-25T15:00:59+00:00 2751451f4158417e66974d6415d2da84f612ab3c As each login session comes in, store the supported logout mechanisms in the SP metadata. Upon a logout request, loop through all of those SP's that support SOAP and log those out first, then log out any remaining sessions using HTTP Redirect. https://fedorahosted.org/ipsilon/ticket/59 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
As each login session comes in, store the supported logout
mechanisms in the SP metadata.

Upon a logout request, loop through all of those SP's that
support SOAP and log those out first, then log out any
remaining sessions using HTTP Redirect.

https://fedorahosted.org/ipsilon/ticket/59

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Only initialize the OpenID IDP when actually enabled 2015-07-08T11:27:02+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-07-08T10:37:04+00:00 ac7c20cca81c3d23ee66f224030b316bdff2274a This is needed because otherwise it will try to set the database schema version before it read the configuration for providers, which means it will do this in the default (openid.sqlite) database file. If you are running as a non-privileged user (as your should) with the working directory pointing somewhere this user is unable to write, this means it will fail to write this. Note: the working directory is not in the default wsgi file, which means that people using that will not likely hit this bug. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This is needed because otherwise it will try to set the database schema version
before it read the configuration for providers, which means it will do this
in the default (openid.sqlite) database file.
If you are running as a non-privileged user (as your should) with the working
directory pointing somewhere this user is unable to write, this means it will
fail to write this.

Note: the working directory is not in the default wsgi file, which means that
people using that will not likely hit this bug.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Use plugin-specific configuration, better expiration 2015-05-11T22:39:31+00:00 Rob Crittenden rcritten@redhat.com 2015-05-11T22:14:42+00:00 8445b3297cd0b25989f2575c21bf3426aee7c5ad Use a SAML2 plugin specific option to specify the database uri for sessions. Use a much more robust method to find sessions that need expiration (thanks Patrick). https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Use a SAML2 plugin specific option to specify the database uri
for sessions.

Use a much more robust method to find sessions that need
expiration (thanks Patrick).

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Remove expired SAML2 sessions 2015-05-11T22:39:28+00:00 Rob Crittenden rcritten@redhat.com 2015-04-20T20:44:41+00:00 6437f6c9385e5e59cb21de7a3addedd904ee2825 Run a cherrypy background task to sift through the sessions database and find expired entries and remove them. From my testing if a previous execution of the background task is still executing when the next one is scheduled to run, it will skip it. In other words, you can't end up with multiple expirations running at the same time. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Run a cherrypy background task to sift through the sessions
database and find expired entries and remove them.

From my testing if a previous execution of the background task
is still executing when the next one is scheduled to run, it will
skip it. In other words, you can't end up with multiple expirations
running at the same time.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Update IdP-initiated logout to use SAML2 Store 2015-05-11T22:39:26+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:44:04+00:00 085327baa87a990d0d986861a23305dc03530d71 This moves the order in which the "fake" session is created and it gives it a unique ID rather than using a fixed value. Rely on the LogoutRequest request ID so we can get the order of logout correct. The basic idea is a logout request is created for the IdP containing the URL of the IdP itself as the RelayState. A session is picked and a LogoutRequest generated and sent. There will be a LogoutRequest/LogoutResponse back and forth until there are no more sessions to log out. The last session will be this "fake" session that started it all and the user will be redirected to the main page of the IdP. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
This moves the order in which the "fake" session is created and
it gives it a unique ID rather than using a fixed value.

Rely on the LogoutRequest request ID so we can get the
order of logout correct.

The basic idea is a logout request is created for the IdP
containing the URL of the IdP itself as the RelayState. A
session is picked and a LogoutRequest generated and sent.

There will be a LogoutRequest/LogoutResponse back and forth
until there are no more sessions to log out. The last
session will be this "fake" session that started it all
and the user will be redirected to the main page of the IdP.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>