| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the Option class to take a readonly keyword argument,
defaulting to False. Extend its subclasses to pass this value
along.
The page template will add the disabled keyword to input and
textarea if a config option is marked as readonly.
https://fedorahosted.org/ipsilon/ticket/6
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When browsing the keys of a dictionary, you can use the ``.keys()`` method but
that is in fact only really useful if you want to store the list of keys first
and act on them (like sorting them or so).
If you just want to iterate through all the keys, no matter the order, then it
is much much faster to just do: ``for key in dict``
Some stats about this can be found there:
http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
As each login session comes in, store the supported logout
mechanisms in the SP metadata.
Upon a logout request, loop through all of those SP's that
support SOAP and log those out first, then log out any
remaining sessions using HTTP Redirect.
https://fedorahosted.org/ipsilon/ticket/59
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use a SAML2 plugin specific option to specify the database uri
for sessions.
Use a much more robust method to find sessions that need
expiration (thanks Patrick).
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Store SAML2 session information in a table rather than with the
user entry so sessions can be persisted past IdP restarts and if
the user accesses the system via multiple browsers SLO will log
out all sessions, not just the user session that initiated the
logout.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
With this skeleton code we can add upgrade code
if we ever change the database schema.
https://fedorahosted.org/ipsilon/ticket/56
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
and other HTTP concepts are expected. Each handler is responsible
for setting the binding.
* add some constants needed for ECP
https://fedorahosted.org/ipsilon/ticket/4
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Point to a file containing the license rather than including
it in every single source file. This will make it easier to
manage the license in the future without another humongous
commit.
https://fedorahosted.org/ipsilon/ticket/126
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The Store logging is quite verbose with a flurry of
init and destroy messages with each session. Setting
db.conn.log to False (default) will suppress these. If one
needs to do connection tracing it can be enabled.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pylint 1.4.3 completely stopped recognizing the star-args condition.
In order to avoid pylint error with > 1.4.3 stop caring for star-args
and add cmdline option to ignore those errors completly so older pylint
versions are happy too.
Also fix type() vs isinstance() checks, isinstance is generally a more
correct approach to check for classes.
In some 'admin' files the type() -> isinstance() fix required to invert
the order in which ComplexList and MappingList are checked as the latter
is a subclass of ComplexList, so it needs to be checked first otherwise
the check for isinstance(option, ComplexList) matches for both and the
code stops functioning properly.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This replaces the print statements in the installer code with
a python logger so we can log all output to the installer log
and a subset of it to stdout in one step without duplication.
The cherrypy.log.error() logs to the "error" log at a severity
of logging.INFO by default. Set an appropriate log level for
these as well.
https://fedorahosted.org/ipsilon/ticket/35
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This method was deprecated but still used in a lot of places.
https://fedorahosted.org/ipsilon/ticket/120
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.
The Persona plugin relies on iframes and uses this decorator
for all endpoints.
https://fedorahosted.org/ipsilon/ticket/15
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This will close any opened database sessions at the end
of the request.
https://fedorahosted.org/ipsilon/ticket/110
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If you created rule(s) in an SP for either allowed attributes or
attribute mapping there was no way to remove the last rule meaning
it could never go back to use the global defaults.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The configuration class was originally intended to be tied. At this
point it is quite generic and useful outside of plugins. Rename
it to something more generic and move it into the config module.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also offer the option to set the OpenID database URI during install
https://fedorahosted.org/ipsilon/ticket/17
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
See "Bindings for the OASIS Security Assertion Markup Language (SAML)
V2.0" section 3.2.3.2.
https://fedorahosted.org/ipsilon/ticket/7
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a login comes in via the remote_login() call no
user attributes are set. These may be later filled in by
a subsequent call to login() after the info plugins are
called but a short-circuit in that function exits if the
user matches the current session.
Add an extra conditional such that if the user matches,
userattributes are passed in and the current user attributes
for this user is empty then save the new data.
https://fedorahosted.org/ipsilon/ticket/86
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Saving a session causes it to be unlocked, but sessions have a
hook that also performs a save just before the session is finalized.
In CherryPy 3.3.0 and later, an assertion was added to ensure that
a session is locked when trying to perform a save. Since we perform
explicit saves in our code, this causes the assertion to be tripped
when the hook executes.
This patch removes our explicit save calls. We should rely on the
hook to save and unlock the session.
https://fedorahosted.org/ipsilon/ticket/84
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the referer is present but does not contain a transaction ID we still
need to fallback to the REQUEST_URI. Fix the code to check the url and
then fallback to REQUEST_URI rathe than decide upfront merely on the
fact a referer is available.
https://fedorahosted.org/ipsilon/ticket/74
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
On internal redirections, such as when ErrorDocument is used to
redirect on failed negotiate authentication we need to look harder
for the transaction id.
Ticket: #74
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
An Endpoint is different from a Page in that it doesn't have menus,
templates, transactions, etc. It is only defines a URL that can be
mounted.
https://fedorahosted.org/ipsilon/ticket/38
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Per the instructions of
https://docs.python.org/2/library/configparser.html#ConfigParser.RawConfigParser.optionxform
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If ignore_case is True then the incomping attributes are matched
case-insensitively in the policy engine.
The CAse of the incoming attribute is not changed on wildcard
matches. On ther matches attributes will be replaced according
to the mapping tables and the case used will be that of the
mapped attributes.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
| |
Just report an error and continue with default values.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
| |
This requires careful handling, and should be used sparingly
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
| |
Also regenerate it frequently, so that any change in configuration can be
automatically reflected in the metadata downloaded my clients over time.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test to see if the request parameter value is a cherrypy Part
class. This was already being done for the case where the value was a
list, but it was omitted for single values. Logic was combined into new
local function print_param().
Changed the test for the class back to using
if isinstance(item, cherrypy._cpreqbody.Part):
instead of:
if getattr(item, "part_class", None):
because using isinstance() clearly indicates what is being done. The
use of getattr() was introduced to prevent a pylint warning concering
use of protected values. The getattr() hack is confusing and proably
not robust if the class implementation changes. The patch now disables
this warning. I cannot explain why cherrypy marks these modules as
protected when clearly one has to utilize them and they are documented
in the cherrypy API doc. Disabling the warning seems the cleanest and
most robust approach.
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
Mea culpa for not checking before pushing
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: John Dennis <jdennis@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The log.debug() function helpfully adds the name of the function
invoking it but in a complicated software package there are many
functions/methods which share the same name. Thus a debug message
like this:
DEBUG(__init__): xxx
does not give you much context, there are probably hundreds of
__init__ methods. It would help to qualify the method name which it's
class name, that gives a lot more context when reading the
log. Sometimes it's also helpful to know the file and line number.
This patch adds the class name to the function and included the
filename and line number as well. The file path is trimmed to the last
3 components, sufficient to give context but not too verbose. Now the
debug message might look like this instead:
DEBUG(ipsilon/providers/common.py:129 LoadProviders.__init__()): xxx
Also included is a config option 'stacktrace_on_error' which will
include a stacktrace when the log.error function is called. It can be
very useful to see a stacktrace when logging an error, it defaults to
off.
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ability to easily review the HTTP Ipsilon request and response is
boon for development and issue debugging. Normally these HTTP
conversations occur on SSL/TLS encrypted connections making it
difficult to use other tools to view the traffic. Client side tools
have known pitfalls (e.g. Firebug) and not all conversations are
browser initiated (e.g. SAML ECP). Logging performed by the server
hosting Ipsilon makes logging at the server level server specific
(e.g. Apache's dumpio requires post-processing the log file to extract
and reassamble the HTTP conversation). The best place to log requests
and responses is within Ipsilon using the cherrypy framework
Ipsilon is embedded in. Cherrypy provides user defined hooks that can
be invoked at specific places in the request pipeline. We establish a
hook at the last stage just before the response is written to the
client, it logs the incoming request and outgoing response.
Resolves: https://fedorahosted.org/ipsilon/ticket/44
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This allows us to use apache module that use things like ErrorDocument
directives to do internal redirects and still retain the original
transaction intact.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
Otherwise we get backtraces when checking for list members and no configuration
have been stored in the database yet.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
| |
This is useful for plugins that want to use their own database configuration
but still want to reuse he Store class for simplicity.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
| |
Do not throw 501 errors, instead return warnings that the configuration
changes cannot be applied.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the configfile:// schema is used, the data is sourced from an ini
style config file instead of being read from a database.
The tables in this data source will be considered read-only and
all modification functions will throw exceptions.
Only 2 and 3 columns tables are supported, and the first column
values must not contain spaces (typically a name/identifier).
The adminconfig db is the only supported one at this time.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
| |
Autotable is always enabled, so remove the option and just alays use it.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
| |
load_data and reset_data are used only internally,
turn them into private functions
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Move most plugin enablement and initialization code in plugin.py to
reduce code duplication and simplify and unifify plugin enablement
for all base plugin types (login, info, providers).
This patch breaks backwards compatibility as it changes how the list
of enabled plugins is stored in the database tables.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fork a PluginConfig class out of PluginObject, the base object now supports
a simple dictionary config, while using PluginConfig provide access to
structured util.config based configuration.
Change UI code that deal with plugins configuration to properly use the new
structured config objects in order to represent data in appropriate format
based on the data type.
Use the new util.config objects to represent plugins configuration.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
| |
This will be used to properly format data in configuration UIs, and
to properly import/export data from/to th database for internal use.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
| |
This allows us to store session data in the DB. This way session data can
be shared by multiple servers behind a balancer.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
| |
Do not return default values if an actual empty string is found
in the database.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
