ipsilon.git/ipsilon, branch non-empty-attrs Unnamed repository; edit this file 'description' to name the repository. Assertion AttributeStatements must be non-empty 2015-03-18T21:14:07+00:00 John Dennis jdennis@redhat.com 2015-03-18T21:14:07+00:00 8473dd1abcfb4ad92a4700a7715246b207ae1323 The saml-core-2.0-os specification section 2.7.3 requires the AttributeStatement element to be non-empty. Shibboleth verifies this and rejects assertions that do not comply. We gather attributes into a local dict first before adding them to the AttributeStatement so the fix is easy. Test if the dict is empty, move the initialization of the assertion AttributeStatement inside the test so it's conditional on whether the dict has members. Fixes: https://fedorahosted.org/ipsilon/ticket/61 Signed-off-by: John Dennis <jdennis@redhat.com> 
The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.

Fixes: https://fedorahosted.org/ipsilon/ticket/61
Signed-off-by: John Dennis <jdennis@redhat.com>
Properly handle groups info in SAML provider 2015-03-18T00:38:27+00:00 Simo Sorce simo@redhat.com 2015-03-17T17:22:06+00:00 acd6db64e46c8fa5b93c07dc5ff5c5172ddfa4f6 Also removes internal attributes (any attribute that starts with _ Fixes: https://fedorahosted.org/ipsilon/ticket/71 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Also removes internal attributes (any attribute that starts with _

Fixes: https://fedorahosted.org/ipsilon/ticket/71

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Fix error returned from login plugins 2015-03-18T00:37:19+00:00 Simo Sorce simo@redhat.com 2015-03-17T23:01:59+00:00 0b40c36998ed29c7e98a8cf5f42a798e0bec0870 Some login plugins use form based authentication and let the user retry on authentication errors. This is fine, however the wrong error code is returned in this case, 401 should be returned. Fixes: https://fedorahosted.org/ipsilon/ticket/94 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Some login plugins use form based authentication and let the user retry
on authentication errors. This is fine, however the wrong error code is
returned in this case, 401 should be returned.

Fixes: https://fedorahosted.org/ipsilon/ticket/94

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Make SSSD Info enable the httpd_dbus_sssd boolean. 2015-03-17T14:52:25+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-03-16T14:07:41+00:00 b6cf2a56cf951b059e2755742522413c304e858e https://fedorahosted.org/ipsilon/ticket/23#comment:13 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
https://fedorahosted.org/ipsilon/ticket/23#comment:13

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Save user attributes on subsequent calls to login. 2015-03-16T21:18:13+00:00 Rob Crittenden rcritten@redhat.com 2015-03-16T18:34:24+00:00 2667fc13306912d4a1481e495181679012255ef6 When a login comes in via the remote_login() call no user attributes are set. These may be later filled in by a subsequent call to login() after the info plugins are called but a short-circuit in that function exits if the user matches the current session. Add an extra conditional such that if the user matches, userattributes are passed in and the current user attributes for this user is empty then save the new data. https://fedorahosted.org/ipsilon/ticket/86 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
When a login comes in via the remote_login() call no
user attributes are set. These may be later filled in by
a subsequent call to login() after the info plugins are
called but a short-circuit in that function exits if the
user matches the current session.

Add an extra conditional such that if the user matches,
userattributes are passed in and the current user attributes
for this user is empty then save the new data.

https://fedorahosted.org/ipsilon/ticket/86

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Use the IPA API directly when adding the HTTP principal 2015-03-16T21:13:23+00:00 Rob Crittenden rcritten@redhat.com 2015-03-13T18:56:26+00:00 8236943374c978a8f9dc6142daac58ee0201f991 This is the only way to force in a custom version string so that the remote IPA server doesn't reject the request as being newer than the server. This also removes the need to iterate over all servers as the IPA connection API does this automatically. https://fedorahosted.org/ipsilon/ticket/47 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
This is the only way to force in a custom version string
so that the remote IPA server doesn't reject the request
as being newer than the server.

This also removes the need to iterate over all servers
as the IPA connection API does this automatically.

https://fedorahosted.org/ipsilon/ticket/47

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Don't explicitly save sessions 2015-03-12T19:36:33+00:00 Nathan Kinder nkinder@redhat.com 2015-03-11T23:51:29+00:00 22e983978fcbd84896468017dd5bdacf8a18cf3c Saving a session causes it to be unlocked, but sessions have a hook that also performs a save just before the session is finalized. In CherryPy 3.3.0 and later, an assertion was added to ensure that a session is locked when trying to perform a save. Since we perform explicit saves in our code, this causes the assertion to be tripped when the hook executes. This patch removes our explicit save calls. We should rely on the hook to save and unlock the session. https://fedorahosted.org/ipsilon/ticket/84 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Saving a session causes it to be unlocked, but sessions have a
hook that also performs a save just before the session is finalized.
In CherryPy 3.3.0 and later, an assertion was added to ensure that
a session is locked when trying to perform a save.  Since we perform
explicit saves in our code, this causes the assertion to be tripped
when the hook executes.

This patch removes our explicit save calls.  We should rely on the
hook to save and unlock the session.

https://fedorahosted.org/ipsilon/ticket/84

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Proper fallback from referer to REQUEST_URI 2015-03-12T18:48:11+00:00 Simo Sorce simo@redhat.com 2015-03-12T17:51:04+00:00 078942b2cf6d73697f4c6b8a28cabe940f358532 If the referer is present but does not contain a transaction ID we still need to fallback to the REQUEST_URI. Fix the code to check the url and then fallback to REQUEST_URI rathe than decide upfront merely on the fact a referer is available. https://fedorahosted.org/ipsilon/ticket/74 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
If the referer is present but does not contain a transaction ID we still
need to fallback to the REQUEST_URI. Fix the code to check the url and
then fallback to REQUEST_URI rathe than decide upfront merely on the
fact a referer is available.

https://fedorahosted.org/ipsilon/ticket/74

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Validate SP path settings during installation 2015-03-11T13:48:55+00:00 Nathan Kinder nkinder@redhat.com 2015-03-11T03:02:07+00:00 a1bcbfd426a6c3860edf53e12da32ff6daad4442 There are a number of URL path options that can be specified as options when running ipsilon-client-install. There are certain rules that must be followed to result in a valid mod_auth_mellon configuration: - All path options must be prefixed with '/'. - The mellon endpoint path (--saml-sp) must be a subpath of the httpd 'Location' element is it contained within (--saml-base). - The logout (--saml-sp-logout) and post (--saml-sp-post) paths must be subpaths of the mellon endpoint (--saml-sp). This adds validation for all of the above rules. https://fedorahosted.org/ipsilon/ticket/82 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
There are a number of URL path options that can be specified as
options when running ipsilon-client-install. There are certain
rules that must be followed to result in a valid mod_auth_mellon
configuration:

 - All path options must be prefixed with '/'.

 - The mellon endpoint path (--saml-sp) must be a subpath of the
   httpd 'Location' element is it contained within (--saml-base).

 - The logout (--saml-sp-logout) and post (--saml-sp-post) paths
   must be subpaths of the mellon endpoint (--saml-sp).

This adds validation for all of the above rules.

https://fedorahosted.org/ipsilon/ticket/82

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add Cache-Control header to prevent browser caching of SAML auth location 2015-03-10T22:24:08+00:00 Nathan Kinder nkinder@redhat.com 2015-03-10T18:22:47+00:00 d67664fbffe9c380a354abe115ee5afa1ff968be We should prevent browser caching of the SAML auth location that we configure for an SP. This can be easily done by adding the following directive to that location in the httpd config: Header append Cache-Control "no-cache" https://fedorahosted.org/ipsilon/ticket/81 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We should prevent browser caching of the SAML auth location that we
configure for an SP. This can be easily done by adding the following
directive to that location in the httpd config:

    Header append Cache-Control "no-cache"

https://fedorahosted.org/ipsilon/ticket/81

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>