| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the mod_wsgi display-name setting to allow the Ipsilon
WSGI process to show up with a useful process name instead of
'httpd'. This allows one to easily distinguish the WSGI process
from other httpd processes.
https://fedorahosted.org/ipsilon/ticket/62
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication. We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.
This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified. In addition, we add a
rewrite rule to rewrite http requests to https for the SP.
https://fedorahosted.org/ipsilon/ticket/80
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This little javascript allows us to dyamically add form fields in
the ComplexList and MappingList tables. Makes it much easier to add
elements to these lists.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
This add support in the template for showing ComplexList and
MappingList options.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ability to easily review the HTTP Ipsilon request and response is
boon for development and issue debugging. Normally these HTTP
conversations occur on SSL/TLS encrypted connections making it
difficult to use other tools to view the traffic. Client side tools
have known pitfalls (e.g. Firebug) and not all conversations are
browser initiated (e.g. SAML ECP). Logging performed by the server
hosting Ipsilon makes logging at the server level server specific
(e.g. Apache's dumpio requires post-processing the log file to extract
and reassamble the HTTP conversation). The best place to log requests
and responses is within Ipsilon using the cherrypy framework
Ipsilon is embedded in. Cherrypy provides user defined hooks that can
be invoked at specific places in the request pipeline. We establish a
hook at the last stage just before the response is written to the
client, it logs the incoming request and outgoing response.
Resolves: https://fedorahosted.org/ipsilon/ticket/44
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Make it easier to recognize which plugins are enabled and which are
disabled. Also make it easier to recognize when a plugin has just changed
state, by flashing its row (help also realize it may have moved up/down)
Based on concept work by Petr Vobornik
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fork a PluginConfig class out of PluginObject, the base object now supports
a simple dictionary config, while using PluginConfig provide access to
structured util.config based configuration.
Change UI code that deal with plugins configuration to properly use the new
structured config objects in order to represent data in appropriate format
based on the data type.
Use the new util.config objects to represent plugins configuration.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
This allows us to store session data in the DB. This way session data can
be shared by multiple servers behind a balancer.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change config template to e able to set up ipsilon with an extrenal
database.
For the easy install the database server must have 3 datbases configured,
and named exactly: admincondif, userprefs, transactions
If different names are required manual instalation will be necessary.
Database URLs (including credentials) can be set using the new option
named --database-url
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
| |
This SVG image contain HREF links that are template in jinja to link
images/text i the SVG to the menu pages.
Clicking on elements of the SVG thus redirects to the relevant menu item.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
Also fix a bug that would cause the config page to show no fields
when saving.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
This way we can remove even more duplicated code... \o/
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
Use the same templates for both info and login plugins
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
When the cancel button is hit return to the provider and eventually to the
original application via return urls.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
The form and fas template are identical so just drop the fas.html
template and use the default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user information is retrieved we map any wellknown data to a
standardized set of names.
A ne InfoMapping class takes cares of helping the info modules to
map the data they retrieve so that providers can find it in wellknown
attribute names for further use.
Mapping of attribute names for diplay purposes is also provided.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This commit implements all the core functionality needed to expose
an OpenID Identity Provider including a framework to dynamycally add
extensions.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
Autodetect and convert config values based on the options definition.
If the option is marked as list split a string on setting the configuration
or join the list into a string before saving it to the database.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Change the admin plugin to not overwrite the plugin default options,
and only use the sanctioned pluginObject interfaces to read/write
config values.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
Fixes installation and quickrun
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
Ordering may also be partial, for any option not specified they will be
appended in lexycographic order.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
Avoids issues if multiple instances are used on the same server
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
Set session path so that the session is sent only for the specific instance
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This plugin simply take a Fedora username and password and authenticates
the user against the FAS Server.
FAS returned data is saved as userdata in the 'fas' attribute.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The protect decorator was not really being used for anything, remove it.
Change the way UserSession's remote_login() works.
If called now it either sets a REMOTE_USER (if found) or nukes the current
user data in the session.
This means this function can be safely called only in a login plugin now.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
Always deny access to the IDP if not using SSL by default.
Always turn on secure/httponly cookies by default.
Add a switch to disable all security options for testing.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Use this in the testsuite so we can get meaningful output in the logs
when something fails.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
make test will now run some sanity tests to make sure basic installation
procedures work in a sinthetic test environment.
Adds:
- custom httpd setup for tests
- use profiles to driver ipsilon servers and clients installation
- starts multiple httpd servers
This way we can test interaction between IDP and SP servers
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
To allow for testing in a custom rootdir, and with a custom user.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This should be used only for testing purposes
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This way a user can avoid copying the metadata file arund but paste
the content straight from a terminal window.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This should make clearer what is expected in each field.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
If the user cannot perform any action there is no reason to show the
save button.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Must be the same name wher ethe instance is mounted!
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Properly replace page self.url
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The WSGIProcessGroup directive should only apply to the /idp URI.
Without wrapping this directive in the Location element, multiple
Ipsilon instances or an Ipsilon instance installed on a FreeIPA
server will conflict and encounter problems running in the same
httpd process. All wsgi processes will end up redirected to the
last process grup defined in the configuration in this case and
all other instances of wsgi applications will be unreachable.
Resolves: https://fedorahosted.org/ipsilon/ticket/1
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Generates (self signed) certificates and a metdata.xml file.
Optionally configures an Apache Httpd server.
If the admin does not configure a specific application at install time
a default landing page is made available to be able to test that the SP
configuration works.
Uninstall removes all certificates and metadata file and is irreversible.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When plugins are not enabled at startup the admin page is not available
as it is created only on enablement.
Split enablement and registration, so plugins can be registered even
when actually disabled.
Also rework the way enablement is tracked and make sure enablement status
is saved back to the database when it changes so it is kept on restarts.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|