ipsilon.git/ipsilon, branch client-paos Unnamed repository; edit this file 'description' to name the repository. Define PAOS AssertionConsumerService in ipsilon-client-install 2015-08-27T21:18:02+00:00 John Dennis jdennis@redhat.com 2015-08-27T20:34:40+00:00 b6d4eed36301dc0f0f3058271a3f26f115d6f173 A SAML SP will not be able to perform ECP unless a AssertionConsumerService for the PAOS binding has been defined in it's metadata. The PAOS AssertionConsumerService participates in the ECP protocol exchange, specifically it's where the ECP client sends the IdP Assertion. If lasso starts to engage in an ECP transaction by trying to generate a Samlp:AuthnRequest and no PAOS AssertionConsumerService is defined in the SP metadata it will fail with a unknown provider error. Note, AssertionConsumerService elements are indexed endpoints, there may be one per protocol binding. Now that there is more than 1 AssertionConsumerService we set the isDefault flag to True on the existing post response at index 0. This isn't strictly necessary because the spec says if the default flag isn't set on any AssertionConsumerService endpoint then the first one is selected, but it's good practice anyway. FWIW, if mod_auth_mellon is not configured with metadata then mod_auth_mellon will generate it's own metadata which includes the PAOS AssertionConsumerService. However in ipsilon-client we generate the SP metadata and were failing to add the PAOS AssertionConsumerService, something mellon would have done automatically for us. This is why this bug was only first seen using ipsilon-client-install. Ticket: 162 Signed-off-by: John Dennis <jdennis@redhat.com> 
A SAML SP will not be able to perform ECP unless a
AssertionConsumerService for the PAOS binding has been defined in it's
metadata. The PAOS AssertionConsumerService participates in the ECP
protocol exchange, specifically it's where the ECP client sends the
IdP Assertion.

If lasso starts to engage in an ECP transaction by trying to generate a
Samlp:AuthnRequest and no PAOS AssertionConsumerService is defined in
the SP metadata it will fail with a unknown provider error.

Note, AssertionConsumerService elements are indexed endpoints, there
may be one per protocol binding. Now that there is more than 1
AssertionConsumerService we set the isDefault flag to True on the
existing post response at index 0. This isn't strictly necessary
because the spec says if the default flag isn't set on any
AssertionConsumerService endpoint then the first one is selected, but
it's good practice anyway.

FWIW, if mod_auth_mellon is not configured with metadata then
mod_auth_mellon will generate it's own metadata which includes the
PAOS AssertionConsumerService. However in ipsilon-client we generate
the SP metadata and were failing to add the PAOS
AssertionConsumerService, something mellon would have done
automatically for us. This is why this bug was only first seen using
ipsilon-client-install.

Ticket: 162
Signed-off-by: John Dennis <jdennis@redhat.com>
Validate options of the LDAP auth plugin on installation 2015-08-27T00:22:15+00:00 Rob Crittenden rcritten@redhat.com 2015-08-19T14:13:36+00:00 f1efb10af288c438fa034e7beb62e14b8417056f Few of the LDAP options had any validation at all so it was easy to provide a bad DN template, basedn and server URL. These types of errors are now sufficient to kill the installer rather than letting it limp along and hope the user notices the failures in the output. https://fedorahosted.org/ipsilon/ticket/40 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Few of the LDAP options had any validation at all so it was
easy to provide a bad DN template, basedn and server URL.

These types of errors are now sufficient to kill the installer
rather than letting it limp along and hope the user notices the
failures in the output.

https://fedorahosted.org/ipsilon/ticket/40

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Log a message when authentication is successful but doesn't 2015-08-25T12:55:28+00:00 Rob Crittenden rcritten@redhat.com 2015-08-24T17:42:19+00:00 ea3a3c63719961c66b7b45cd7cfee51cf4bd5f6d match the NameID required by the SAML request. https://fedorahosted.org/ipsilon/ticket/157 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
match the NameID required by the SAML request.

https://fedorahosted.org/ipsilon/ticket/157

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Count IPA as a login plugin when checking for enabled plugins 2015-08-25T12:50:43+00:00 Rob Crittenden rcritten@redhat.com 2015-08-24T18:27:35+00:00 715fa96eb2f97451749d3e66b801bdefe861b16e The installer ensures that at least one login plugin is enabled. It didn't consider IPA, which automatically enables gssapi, when doing this calculation. Add a check so that IPA counts as well. https://fedorahosted.org/ipsilon/ticket/152 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
The installer ensures that at least one login plugin is enabled.
It didn't consider IPA, which automatically enables gssapi,
when doing this calculation. Add a check so that IPA counts as well.

https://fedorahosted.org/ipsilon/ticket/152

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Enable auto-escaping templates 2015-08-21T13:45:20+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-08-18T15:10:46+00:00 a503aa9c2a30a74e709d1c88099befd50fb2eb16 This will prevent most cases of insertion of HTML or other code into the generated HTML. Fixes: CVE-2015-5215 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This will prevent most cases of insertion of HTML or other
code into the generated HTML.

Fixes: CVE-2015-5215

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Fix permission check on SP update 2015-08-21T13:45:00+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-08-18T14:26:50+00:00 826e6339441546f596320f3d73304ab5f7c10de6 The permission check for owner was checking the wrong field, which would make it possible for anyone to update the Service Provider owner, making it possible for anyone to change the SP owner, allowing anyone to change the SP name. Fixes: CVE-2015-5217 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
The permission check for owner was checking the wrong field,
which would make it possible for anyone to update the Service
Provider owner, making it possible for anyone to change the
SP owner, allowing anyone to change the SP name.

Fixes: CVE-2015-5217

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Report to user if an LDAP error occurs 2015-08-18T18:50:43+00:00 Rob Crittenden rcritten@redhat.com 2015-07-20T20:42:36+00:00 5f591228346bd96561b693cae43b8f14e4c3b26d Catch LDAP errors and display them properly rather than just dumping the exception. Rename variable authed to authok. Add test for case where LDAP server is not started to confirm the user receives the error alert. https://fedorahosted.org/ipsilon/ticket/55 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Catch LDAP errors and display them properly rather than
just dumping the exception.

Rename variable authed to authok.

Add test for case where LDAP server is not started to
confirm the user receives the error alert.

https://fedorahosted.org/ipsilon/ticket/55

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Mark the service as readonly in the UI in authpam plugin 2015-08-18T07:52:25+00:00 Rob Crittenden rcritten@redhat.com 2015-07-17T18:07:16+00:00 bfa0e5d352ea0d6217d31c952f35cd527264e4fa Update the Option class to take a readonly keyword argument, defaulting to False. Extend its subclasses to pass this value along. The page template will add the disabled keyword to input and textarea if a config option is marked as readonly. https://fedorahosted.org/ipsilon/ticket/6 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Update the Option class to take a readonly keyword argument,
defaulting to False. Extend its subclasses to pass this value
along.

The page template will add the disabled keyword to input and
textarea if a config option is marked as readonly.

https://fedorahosted.org/ipsilon/ticket/6

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Only initialize the Persona IDP when actually enabled 2015-08-18T07:41:03+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-07-17T14:03:15+00:00 7b470b0e494a7ff5a088c3ead2e60754b67282f1 This has the same reasoning as the OpenID patch (commit ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally that it will otherwise error on loading the signing key. (This is not critical though as it will retry loading and succeed, this is just to make it not spit that error). Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This has the same reasoning as the OpenID patch (commit
ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally
that it will otherwise error on loading the signing key.
(This is not critical though as it will retry loading and
succeed, this is just to make it not spit that error).

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Use full path when constructing "Other authentication methods" 2015-08-11T10:10:50+00:00 Rob Crittenden rcritten@redhat.com 2015-08-06T15:12:16+00:00 a69505f662aadfd38c31ebadab18e1beccc1b95c It was previously providing just a relative path and if the paths overlapped I guess the browser was trying to smash them together. This would result in a double "gssapi" in the gssapi URL like: https://my.ipsilon.org/idp/login/gssapi/gssapi/negotiate?ips... Don't rely on the browser to get the path right, use self.basepath. https://fedorahosted.org/ipsilon/ticket/153 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
It was previously providing just a relative path and if the paths
overlapped I guess the browser was trying to smash them together.

This would result in a double "gssapi" in the gssapi URL like:

https://my.ipsilon.org/idp/login/gssapi/gssapi/negotiate?ips...

Don't rely on the browser to get the path right, use self.basepath.

https://fedorahosted.org/ipsilon/ticket/153

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>