ipsilon.git/ipsilon/util, branch ecp Unnamed repository; edit this file 'description' to name the repository. Mark the service as readonly in the UI in authpam plugin 2015-08-18T07:52:25+00:00 Rob Crittenden rcritten@redhat.com 2015-07-17T18:07:16+00:00 bfa0e5d352ea0d6217d31c952f35cd527264e4fa Update the Option class to take a readonly keyword argument, defaulting to False. Extend its subclasses to pass this value along. The page template will add the disabled keyword to input and textarea if a config option is marked as readonly. https://fedorahosted.org/ipsilon/ticket/6 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Update the Option class to take a readonly keyword argument,
defaulting to False. Extend its subclasses to pass this value
along.

The page template will add the disabled keyword to input and
textarea if a config option is marked as readonly.

https://fedorahosted.org/ipsilon/ticket/6

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Drop all the calls to .keys() when iterating on the keys of a dict 2015-08-11T10:08:50+00:00 Pierre-Yves Chibon pingou@pingoured.fr 2015-07-28T11:19:49+00:00 ce2bbec3f2a010cfa26363a91a6224efe484f06f When browsing the keys of a dictionary, you can use the ``.keys()`` method but that is in fact only really useful if you want to store the list of keys first and act on them (like sorting them or so). If you just want to iterate through all the keys, no matter the order, then it is much much faster to just do: ``for key in dict`` Some stats about this can be found there: http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr> Reviewed-by: Simo Sorce <simo@redhat.com> 
When browsing the keys of a dictionary, you can use the ``.keys()`` method but
that is in fact only really useful if you want to store the list of keys first
and act on them (like sorting them or so).
If you just want to iterate through all the keys, no matter the order, then it
is much much faster to just do: ``for key in dict``

Some stats about this can be found there:
http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Reviewed-by: Simo Sorce <simo@redhat.com>
Add support for logout over SOAP 2015-07-16T13:04:36+00:00 Rob Crittenden rcritten@redhat.com 2015-06-25T15:00:59+00:00 2751451f4158417e66974d6415d2da84f612ab3c As each login session comes in, store the supported logout mechanisms in the SP metadata. Upon a logout request, loop through all of those SP's that support SOAP and log those out first, then log out any remaining sessions using HTTP Redirect. https://fedorahosted.org/ipsilon/ticket/59 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
As each login session comes in, store the supported logout
mechanisms in the SP metadata.

Upon a logout request, loop through all of those SP's that
support SOAP and log those out first, then log out any
remaining sessions using HTTP Redirect.

https://fedorahosted.org/ipsilon/ticket/59

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Use plugin-specific configuration, better expiration 2015-05-11T22:39:31+00:00 Rob Crittenden rcritten@redhat.com 2015-05-11T22:14:42+00:00 8445b3297cd0b25989f2575c21bf3426aee7c5ad Use a SAML2 plugin specific option to specify the database uri for sessions. Use a much more robust method to find sessions that need expiration (thanks Patrick). https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Use a SAML2 plugin specific option to specify the database uri
for sessions.

Use a much more robust method to find sessions that need
expiration (thanks Patrick).

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add support for storing SAML2 sessions 2015-05-11T22:38:39+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:30:31+00:00 613e047c65aa78d661155a989149ad4745a8a25f Store SAML2 session information in a table rather than with the user entry so sessions can be persisted past IdP restarts and if the user accesses the system via multiple browsers SLO will log out all sessions, not just the user session that initiated the logout. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Store SAML2 session information in a table rather than with the
user entry so sessions can be persisted past IdP restarts and if
the user accesses the system via multiple browsers SLO will log
out all sessions, not just the user session that initiated the
logout.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add database schema versioning 2015-05-08T17:33:49+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-05-08T14:56:36+00:00 9b7f9756d89f0a7908d9b7323f682f34b37d200e With this skeleton code we can add upgrade code if we ever change the database schema. https://fedorahosted.org/ipsilon/ticket/56 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
With this skeleton code we can add upgrade code
if we ever change the database schema.

https://fedorahosted.org/ipsilon/ticket/56

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Implement ECP in Ipsilon 2015-05-08T15:17:02+00:00 John Dennis jdennis@redhat.com 2015-01-26T21:04:40+00:00 be55bdf7ee36ad38b25b5f79fc4b82edb2557148 * add saml2/SSO/SOAP endpoint. * add check for lasso version, ECP endpoint only exposed in metadata if lasso has full ECP support. * add SSO_SOAP soap authentication handler (used for ECP). * add SAML binding to transaction so we can determine if cookies and other HTTP concepts are expected. Each handler is responsible for setting the binding. * add some constants needed for ECP https://fedorahosted.org/ipsilon/ticket/4 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
  if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
  and other HTTP concepts are expected. Each handler is responsible
  for setting the binding.
* add some constants needed for ECP

https://fedorahosted.org/ipsilon/ticket/4

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Update Copyright header point to COPYING file 2015-05-08T15:00:48+00:00 Rob Crittenden rcritten@redhat.com 2015-05-08T02:40:19+00:00 cfe24fa3dc15d87f3ace944a2d62a0f4c5ee496c Point to a file containing the license rather than including it in every single source file. This will make it easier to manage the license in the future without another humongous commit. https://fedorahosted.org/ipsilon/ticket/126 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Point to a file containing the license rather than including
it in every single source file. This will make it easier to
manage the license in the future without another humongous
commit.

https://fedorahosted.org/ipsilon/ticket/126

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add db.conn.log option to suppress sql logs by default 2015-05-07T20:08:04+00:00 Rob Crittenden rcritten@redhat.com 2015-05-07T19:51:23+00:00 abcefb0f2eece549371f951b58144188d2ac9307 The Store logging is quite verbose with a flurry of init and destroy messages with each session. Setting db.conn.log to False (default) will suppress these. If one needs to do connection tracing it can be enabled. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
The Store logging is quite verbose with a flurry of
init and destroy messages with each session. Setting
db.conn.log to False (default) will suppress these. If one
needs to do connection tracing it can be enabled.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
pylint 1.4.3 version fixes 2015-05-07T18:44:20+00:00 Simo Sorce simo@redhat.com 2015-05-07T16:33:40+00:00 1bcc0d697dd37a9268641f0cbaa7e9e781552233 Pylint 1.4.3 completely stopped recognizing the star-args condition. In order to avoid pylint error with > 1.4.3 stop caring for star-args and add cmdline option to ignore those errors completly so older pylint versions are happy too. Also fix type() vs isinstance() checks, isinstance is generally a more correct approach to check for classes. In some 'admin' files the type() -> isinstance() fix required to invert the order in which ComplexList and MappingList are checked as the latter is a subclass of ComplexList, so it needs to be checked first otherwise the check for isinstance(option, ComplexList) matches for both and the code stops functioning properly. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Pylint 1.4.3 completely stopped recognizing the star-args condition.
In order to avoid pylint error with > 1.4.3 stop caring for star-args
and add cmdline option to ignore those errors completly so older pylint
versions are happy too.

Also fix type() vs isinstance() checks, isinstance is generally a more
correct approach to check for classes.

In some 'admin' files the type() -> isinstance() fix required to invert
the order in which ComplexList and MappingList are checked as the latter
is a subclass of ComplexList, so it needs to be checked first otherwise
the check for isinstance(option, ComplexList) matches for both and the
code stops functioning properly.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>