ipsilon.git/ipsilon, branch ecp Unnamed repository; edit this file 'description' to name the repository. Implement ECP in Ipsilon 2015-08-27T12:07:26+00:00 John Dennis jdennis@redhat.com 2015-01-26T21:04:40+00:00 665977900bda4e252e2f8895c986767e4bbba5a6 * add saml2/SSO/SOAP endpoint. * add check for lasso version, ECP endpoint only exposed in metadata if lasso has full ECP support. * add SSO_SOAP soap authentication handler (used for ECP). * add SAML binding to transaction so we can determine if cookies and other HTTP concepts are expected. Each handler is responsible for setting the binding. * add some constants needed for ECP Signed-off-by: John Dennis <jdennis@redhat.com> 
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
  if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
  and other HTTP concepts are expected. Each handler is responsible
  for setting the binding.
* add some constants needed for ECP

Signed-off-by: John Dennis <jdennis@redhat.com>
Validate options of the LDAP auth plugin on installation 2015-08-27T00:22:15+00:00 Rob Crittenden rcritten@redhat.com 2015-08-19T14:13:36+00:00 f1efb10af288c438fa034e7beb62e14b8417056f Few of the LDAP options had any validation at all so it was easy to provide a bad DN template, basedn and server URL. These types of errors are now sufficient to kill the installer rather than letting it limp along and hope the user notices the failures in the output. https://fedorahosted.org/ipsilon/ticket/40 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Few of the LDAP options had any validation at all so it was
easy to provide a bad DN template, basedn and server URL.

These types of errors are now sufficient to kill the installer
rather than letting it limp along and hope the user notices the
failures in the output.

https://fedorahosted.org/ipsilon/ticket/40

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Log a message when authentication is successful but doesn't 2015-08-25T12:55:28+00:00 Rob Crittenden rcritten@redhat.com 2015-08-24T17:42:19+00:00 ea3a3c63719961c66b7b45cd7cfee51cf4bd5f6d match the NameID required by the SAML request. https://fedorahosted.org/ipsilon/ticket/157 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
match the NameID required by the SAML request.

https://fedorahosted.org/ipsilon/ticket/157

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Count IPA as a login plugin when checking for enabled plugins 2015-08-25T12:50:43+00:00 Rob Crittenden rcritten@redhat.com 2015-08-24T18:27:35+00:00 715fa96eb2f97451749d3e66b801bdefe861b16e The installer ensures that at least one login plugin is enabled. It didn't consider IPA, which automatically enables gssapi, when doing this calculation. Add a check so that IPA counts as well. https://fedorahosted.org/ipsilon/ticket/152 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
The installer ensures that at least one login plugin is enabled.
It didn't consider IPA, which automatically enables gssapi,
when doing this calculation. Add a check so that IPA counts as well.

https://fedorahosted.org/ipsilon/ticket/152

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Enable auto-escaping templates 2015-08-21T13:45:20+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-08-18T15:10:46+00:00 a503aa9c2a30a74e709d1c88099befd50fb2eb16 This will prevent most cases of insertion of HTML or other code into the generated HTML. Fixes: CVE-2015-5215 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This will prevent most cases of insertion of HTML or other
code into the generated HTML.

Fixes: CVE-2015-5215

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Fix permission check on SP update 2015-08-21T13:45:00+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-08-18T14:26:50+00:00 826e6339441546f596320f3d73304ab5f7c10de6 The permission check for owner was checking the wrong field, which would make it possible for anyone to update the Service Provider owner, making it possible for anyone to change the SP owner, allowing anyone to change the SP name. Fixes: CVE-2015-5217 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
The permission check for owner was checking the wrong field,
which would make it possible for anyone to update the Service
Provider owner, making it possible for anyone to change the
SP owner, allowing anyone to change the SP name.

Fixes: CVE-2015-5217

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Report to user if an LDAP error occurs 2015-08-18T18:50:43+00:00 Rob Crittenden rcritten@redhat.com 2015-07-20T20:42:36+00:00 5f591228346bd96561b693cae43b8f14e4c3b26d Catch LDAP errors and display them properly rather than just dumping the exception. Rename variable authed to authok. Add test for case where LDAP server is not started to confirm the user receives the error alert. https://fedorahosted.org/ipsilon/ticket/55 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Catch LDAP errors and display them properly rather than
just dumping the exception.

Rename variable authed to authok.

Add test for case where LDAP server is not started to
confirm the user receives the error alert.

https://fedorahosted.org/ipsilon/ticket/55

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Mark the service as readonly in the UI in authpam plugin 2015-08-18T07:52:25+00:00 Rob Crittenden rcritten@redhat.com 2015-07-17T18:07:16+00:00 bfa0e5d352ea0d6217d31c952f35cd527264e4fa Update the Option class to take a readonly keyword argument, defaulting to False. Extend its subclasses to pass this value along. The page template will add the disabled keyword to input and textarea if a config option is marked as readonly. https://fedorahosted.org/ipsilon/ticket/6 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Update the Option class to take a readonly keyword argument,
defaulting to False. Extend its subclasses to pass this value
along.

The page template will add the disabled keyword to input and
textarea if a config option is marked as readonly.

https://fedorahosted.org/ipsilon/ticket/6

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Only initialize the Persona IDP when actually enabled 2015-08-18T07:41:03+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-07-17T14:03:15+00:00 7b470b0e494a7ff5a088c3ead2e60754b67282f1 This has the same reasoning as the OpenID patch (commit ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally that it will otherwise error on loading the signing key. (This is not critical though as it will retry loading and succeed, this is just to make it not spit that error). Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This has the same reasoning as the OpenID patch (commit
ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally
that it will otherwise error on loading the signing key.
(This is not critical though as it will retry loading and
succeed, this is just to make it not spit that error).

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Use full path when constructing "Other authentication methods" 2015-08-11T10:10:50+00:00 Rob Crittenden rcritten@redhat.com 2015-08-06T15:12:16+00:00 a69505f662aadfd38c31ebadab18e1beccc1b95c It was previously providing just a relative path and if the paths overlapped I guess the browser was trying to smash them together. This would result in a double "gssapi" in the gssapi URL like: https://my.ipsilon.org/idp/login/gssapi/gssapi/negotiate?ips... Don't rely on the browser to get the path right, use self.basepath. https://fedorahosted.org/ipsilon/ticket/153 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
It was previously providing just a relative path and if the paths
overlapped I guess the browser was trying to smash them together.

This would result in a double "gssapi" in the gssapi URL like:

https://my.ipsilon.org/idp/login/gssapi/gssapi/negotiate?ips...

Don't rely on the browser to get the path right, use self.basepath.

https://fedorahosted.org/ipsilon/ticket/153

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>