| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
match the NameID required by the SAML request.
https://fedorahosted.org/ipsilon/ticket/157
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The permission check for owner was checking the wrong field,
which would make it possible for anyone to update the Service
Provider owner, making it possible for anyone to change the
SP owner, allowing anyone to change the SP name.
Fixes: CVE-2015-5217
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When browsing the keys of a dictionary, you can use the ``.keys()`` method but
that is in fact only really useful if you want to store the list of keys first
and act on them (like sorting them or so).
If you just want to iterate through all the keys, no matter the order, then it
is much much faster to just do: ``for key in dict``
Some stats about this can be found there:
http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As each login session comes in, store the supported logout
mechanisms in the SP metadata.
Upon a logout request, loop through all of those SP's that
support SOAP and log those out first, then log out any
remaining sessions using HTTP Redirect.
https://fedorahosted.org/ipsilon/ticket/59
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use a SAML2 plugin specific option to specify the database uri
for sessions.
Use a much more robust method to find sessions that need
expiration (thanks Patrick).
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Run a cherrypy background task to sift through the sessions
database and find expired entries and remove them.
From my testing if a previous execution of the background task
is still executing when the next one is scheduled to run, it will
skip it. In other words, you can't end up with multiple expirations
running at the same time.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is functionally the same. The primary differences are:
- When logging out, fetch all requested session indexes in the
LogoutRequest.
- Store the LogoutRequest request ID to be used later when a
LogoutResponse is received to look up the logout.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the updated session API to create a SAML2 session.
Note that each session is stored discretely. Previously if
a session for a provider already existed then that one session
held all the session indexes. Now if a new session comes in
it is added separately. During logout all sessions for a provider
are retrieved and all logged-in sessions sent to the SP to
log out.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The basic session API remains the same, just replace
the calls to pull data out of the user session to
instead pull from the database.
The per-session logout state is now a constant rather than
being a member of either the logged_in or logging_out
dictionaries.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
and other HTTP concepts are expected. Each handler is responsible
for setting the binding.
* add some constants needed for ECP
https://fedorahosted.org/ipsilon/ticket/4
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Point to a file containing the license rather than including
it in every single source file. This will make it easier to
manage the license in the future without another humongous
commit.
https://fedorahosted.org/ipsilon/ticket/126
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pylint 1.4.3 completely stopped recognizing the star-args condition.
In order to avoid pylint error with > 1.4.3 stop caring for star-args
and add cmdline option to ignore those errors completly so older pylint
versions are happy too.
Also fix type() vs isinstance() checks, isinstance is generally a more
correct approach to check for classes.
In some 'admin' files the type() -> isinstance() fix required to invert
the order in which ComplexList and MappingList are checked as the latter
is a subclass of ComplexList, so it needs to be checked first otherwise
the check for isinstance(option, ComplexList) matches for both and the
code stops functioning properly.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This was originally getting the principal from the
user object itself which meant it was looking for
it in the database. Look in the attributes instead
which are stored in the user session.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This replaces the print statements in the installer code with
a python logger so we can log all output to the installer log
and a subset of it to stdout in one step without duplication.
The cherrypy.log.error() logs to the "error" log at a severity
of logging.INFO by default. Set an appropriate log level for
these as well.
https://fedorahosted.org/ipsilon/ticket/35
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This method was deprecated but still used in a lot of places.
https://fedorahosted.org/ipsilon/ticket/120
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.
https://fedorahosted.org/ipsilon/ticket/114
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This buidls up a specific global mapping and allowed attributes then
creates an SP-specific configuration which differs enough to confirm
that it is in fact overriding the default. It finishes by removing the
per-SP configuration and ensuring that it falls back to the IdP-default.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If you created rule(s) in an SP for either allowed attributes or
attribute mapping there was no way to remove the last rule meaning
it could never go back to use the global defaults.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The per-SP values are considered overrides and the global values
are default.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The configuration class was originally intended to be tied. At this
point it is quite generic and useful outside of plugins. Rename
it to something more generic and move it into the config module.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This makes the look-and-feel the same between the SAML2 configuration
and the per-SP configuration.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
There were places where a broad exception was caught when saving
administrative changes but the actual exception wasn't logged. The
user was presented only with a 'Failed to save data!' message.
https://fedorahosted.org/ipsilon/ticket/39
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were previously only validating the SP name in the admin pages
for SP creation and update. The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.
This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code. This
ensures that validation will occur regardless of the interface
that is used. In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.
https://fedorahosted.org/ipsilon/ticket/102
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Perform Single Logout for the current user when a logout is initiated
in the IdP.
A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.
https://fedorahosted.org/ipsilon/ticket/87
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the user is not logged in and submits a valid logout request
then just redirect the user to the RelayState in the request
indicating that the logout was successful. This provides a better
user experience.
https://fedorahosted.org/ipsilon/ticket/88
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Return the name the user authenticated with.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This also makes persistent the default NameID format when generating
metadata.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
NameQualifier and SPNameQualifier are optional and are not included.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new login session is received and an existing session
exists in logout, save the old session IDs.
These will be included in the sessions to logout of the SP.
This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.
https://fedorahosted.org/ipsilon/ticket/64
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.
https://fedorahosted.org/ipsilon/ticket/61
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also removes internal attributes (any attribute that starts with _
Fixes: https://fedorahosted.org/ipsilon/ticket/71
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The mount point is /idp/rest/providers/saml2/SPS.
GET .../SPS will retrieve all Service Providers
GET .../SPS/foo will retrieve the Service Provider named foo
POST .../SPS/foo will create the Service Provider named foo
https://fedorahosted.org/ipsilon/ticket/26
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The main userdata dict contains common attributes, but we add
a sepcial groups list and unmapped extras, as well as indicators
like auth_type.
All these additional attributes are now prefixed by a _ character
so that conflicts with legitimate attributes are improbable.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/24
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/24
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
This way if CSS/Code changes we have just one place to fix.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When user information is retrieved we map any wellknown data to a
standardized set of names.
A ne InfoMapping class takes cares of helping the info modules to
map the data they retrieve so that providers can find it in wellknown
attribute names for further use.
Mapping of attribute names for diplay purposes is also provided.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
| |
These are generically useful and can be rused as they are by other
providers.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is to allow different default headers between Admin pages and
other pages.
In particular we set no-caching headers to all admin pages to force
browsers to refresh as often as possible.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The Page util is supposed to intercept and enable exposed pages on
its own so that additional functions can be run in the generic __call__
Fix the code to check for the function argument correctly and use a
different argument than the standard cherrypy one for admin pages so
that we do actually land in the Page.__call__ all the time for those
pages.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
| |
This fixes enabling a provider after the sever is started.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
| |
also adds quickrun.py script to make it easy.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Replace copies of _debug function sprinkled all over the code
with a single implementation
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
- Removed replace of self._debug to self.debug
|
| |
|
|
|
|
|
| |
This way a user can avoid copying the metadata file arund but paste
the content straight from a terminal window.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
