.git/ipsilon/providers, branch db_sessions Unnamed repository; edit this file 'description' to name the repository. Use plugin-specific configuration, better expiration 2015-05-11T22:14:42+00:00 Rob Crittenden rcritten@redhat.com 2015-05-11T22:14:42+00:00 551456691bcca369308cc8580705f1baa258f9fe Use a SAML2 plugin specific option to specify the database uri for sessions. Use a much more robust method to find sessions that need expiration (thanks Patrick). https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Use a SAML2 plugin specific option to specify the database uri
for sessions.

Use a much more robust method to find sessions that need
expiration (thanks Patrick).

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Remove expired SAML2 sessions 2015-05-11T20:47:24+00:00 Rob Crittenden rcritten@redhat.com 2015-04-20T20:44:41+00:00 d169919a1ff5a7668c8bb23a45b59011a91132e1 Run a cherrypy background task to sift through the sessions database and find expired entries and remove them. From my testing if a previous execution of the background task is still executing when the next one is scheduled to run, it will skip it. In other words, you can't end up with multiple expirations running at the same time. Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Run a cherrypy background task to sift through the sessions
database and find expired entries and remove them.

From my testing if a previous execution of the background task
is still executing when the next one is scheduled to run, it will
skip it. In other words, you can't end up with multiple expirations
running at the same time.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Update IdP-initiated logout to use SAML2 Store 2015-05-11T20:47:22+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:44:04+00:00 acc8954e5812fa65040192e92170b05beada359f This moves the order in which the "fake" session is created and it gives it a unique ID rather than using a fixed value. Rely on the LogoutRequest request ID so we can get the order of logout correct. The basic idea is a logout request is created for the IdP containing the URL of the IdP itself as the RelayState. A session is picked and a LogoutRequest generated and sent. There will be a LogoutRequest/LogoutResponse back and forth until there are no more sessions to log out. The last session will be this "fake" session that started it all and the user will be redirected to the main page of the IdP. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
This moves the order in which the "fake" session is created and
it gives it a unique ID rather than using a fixed value.

Rely on the LogoutRequest request ID so we can get the
order of logout correct.

The basic idea is a logout request is created for the IdP
containing the URL of the IdP itself as the RelayState. A
session is picked and a LogoutRequest generated and sent.

There will be a LogoutRequest/LogoutResponse back and forth
until there are no more sessions to log out. The last
session will be this "fake" session that started it all
and the user will be redirected to the main page of the IdP.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Convert logout code to use SAML2 Store 2015-05-11T20:46:49+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:40:30+00:00 0d953410a7bfe4dec208eb9b9b709139ce652ab7 This is functionally the same. The primary differences are: - When logging out, fetch all requested session indexes in the LogoutRequest. - Store the LogoutRequest request ID to be used later when a LogoutResponse is received to look up the logout. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
This is functionally the same. The primary differences are:

- When logging out, fetch all requested session indexes in the
  LogoutRequest.
- Store the LogoutRequest request ID to be used later when a
  LogoutResponse is received to look up the logout.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Create a SAML2 session during login 2015-05-11T20:46:46+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:38:14+00:00 83eaba272f07960189c71467ac8d774181e4d2d5 Use the updated session API to create a SAML2 session. Note that each session is stored discretely. Previously if a session for a provider already existed then that one session held all the session indexes. Now if a new session comes in it is added separately. During logout all sessions for a provider are retrieved and all logged-in sessions sent to the SP to log out. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Use the updated session API to create a SAML2 session.
Note that each session is stored discretely. Previously if
a session for a provider already existed then that one session
held all the session indexes. Now if a new session comes in
it is added separately. During logout all sessions for a provider
are retrieved and all logged-in sessions sent to the SP to
log out.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Change SAML2 sessions backend to use Store API 2015-05-11T20:45:53+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:35:25+00:00 2408ee947ef6dbb62022afc4d488e665d6726411 The basic session API remains the same, just replace the calls to pull data out of the user session to instead pull from the database. The per-session logout state is now a constant rather than being a member of either the logged_in or logging_out dictionaries. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
The basic session API remains the same, just replace
the calls to pull data out of the user session to
instead pull from the database.

The per-session logout state is now a constant rather than
being a member of either the logged_in or logging_out
dictionaries.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Implement change registration 2015-05-08T20:34:02+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-05-08T16:12:06+00:00 485baf6ee7a315d1af1086fe5b5da8cff6c4ba37 This will make it possible for plugins to register what they have changed during installation, so that they can revert any changes they made during the uninstallation. https://fedorahosted.org/ipsilon/ticket/67 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This will make it possible for plugins to register what they
have changed during installation, so that they can revert
any changes they made during the uninstallation.

https://fedorahosted.org/ipsilon/ticket/67

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Implement ECP in Ipsilon 2015-05-08T15:17:02+00:00 John Dennis jdennis@redhat.com 2015-01-26T21:04:40+00:00 be55bdf7ee36ad38b25b5f79fc4b82edb2557148 * add saml2/SSO/SOAP endpoint. * add check for lasso version, ECP endpoint only exposed in metadata if lasso has full ECP support. * add SSO_SOAP soap authentication handler (used for ECP). * add SAML binding to transaction so we can determine if cookies and other HTTP concepts are expected. Each handler is responsible for setting the binding. * add some constants needed for ECP https://fedorahosted.org/ipsilon/ticket/4 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
  if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
  and other HTTP concepts are expected. Each handler is responsible
  for setting the binding.
* add some constants needed for ECP

https://fedorahosted.org/ipsilon/ticket/4

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Update Copyright header point to COPYING file 2015-05-08T15:00:48+00:00 Rob Crittenden rcritten@redhat.com 2015-05-08T02:40:19+00:00 cfe24fa3dc15d87f3ace944a2d62a0f4c5ee496c Point to a file containing the license rather than including it in every single source file. This will make it easier to manage the license in the future without another humongous commit. https://fedorahosted.org/ipsilon/ticket/126 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Point to a file containing the license rather than including
it in every single source file. This will make it easier to
manage the license in the future without another humongous
commit.

https://fedorahosted.org/ipsilon/ticket/126

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
pylint 1.4.3 version fixes 2015-05-07T18:44:20+00:00 Simo Sorce simo@redhat.com 2015-05-07T16:33:40+00:00 1bcc0d697dd37a9268641f0cbaa7e9e781552233 Pylint 1.4.3 completely stopped recognizing the star-args condition. In order to avoid pylint error with > 1.4.3 stop caring for star-args and add cmdline option to ignore those errors completly so older pylint versions are happy too. Also fix type() vs isinstance() checks, isinstance is generally a more correct approach to check for classes. In some 'admin' files the type() -> isinstance() fix required to invert the order in which ComplexList and MappingList are checked as the latter is a subclass of ComplexList, so it needs to be checked first otherwise the check for isinstance(option, ComplexList) matches for both and the code stops functioning properly. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Pylint 1.4.3 completely stopped recognizing the star-args condition.
In order to avoid pylint error with > 1.4.3 stop caring for star-args
and add cmdline option to ignore those errors completly so older pylint
versions are happy too.

Also fix type() vs isinstance() checks, isinstance is generally a more
correct approach to check for classes.

In some 'admin' files the type() -> isinstance() fix required to invert
the order in which ComplexList and MappingList are checked as the latter
is a subclass of ComplexList, so it needs to be checked first otherwise
the check for isinstance(option, ComplexList) matches for both and the
code stops functioning properly.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>