.git/ipsilon/util, branch db_sessions Unnamed repository; edit this file 'description' to name the repository. Use plugin-specific configuration, better expiration 2015-05-11T22:14:42+00:00 Rob Crittenden rcritten@redhat.com 2015-05-11T22:14:42+00:00 551456691bcca369308cc8580705f1baa258f9fe Use a SAML2 plugin specific option to specify the database uri for sessions. Use a much more robust method to find sessions that need expiration (thanks Patrick). https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Use a SAML2 plugin specific option to specify the database uri
for sessions.

Use a much more robust method to find sessions that need
expiration (thanks Patrick).

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Add support for storing SAML2 sessions 2015-05-11T20:45:53+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T13:30:31+00:00 9145bdded79662865763c744a1de66131675f1ad Store SAML2 session information in a table rather than with the user entry so sessions can be persisted past IdP restarts and if the user accesses the system via multiple browsers SLO will log out all sessions, not just the user session that initiated the logout. https://fedorahosted.org/ipsilon/ticket/90 Signed-off-by: Rob Crittenden <rcritten@redhat.com> 
Store SAML2 session information in a table rather than with the
user entry so sessions can be persisted past IdP restarts and if
the user accesses the system via multiple browsers SLO will log
out all sessions, not just the user session that initiated the
logout.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Add database schema versioning 2015-05-08T17:33:49+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-05-08T14:56:36+00:00 9b7f9756d89f0a7908d9b7323f682f34b37d200e With this skeleton code we can add upgrade code if we ever change the database schema. https://fedorahosted.org/ipsilon/ticket/56 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
With this skeleton code we can add upgrade code
if we ever change the database schema.

https://fedorahosted.org/ipsilon/ticket/56

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Implement ECP in Ipsilon 2015-05-08T15:17:02+00:00 John Dennis jdennis@redhat.com 2015-01-26T21:04:40+00:00 be55bdf7ee36ad38b25b5f79fc4b82edb2557148 * add saml2/SSO/SOAP endpoint. * add check for lasso version, ECP endpoint only exposed in metadata if lasso has full ECP support. * add SSO_SOAP soap authentication handler (used for ECP). * add SAML binding to transaction so we can determine if cookies and other HTTP concepts are expected. Each handler is responsible for setting the binding. * add some constants needed for ECP https://fedorahosted.org/ipsilon/ticket/4 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
  if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
  and other HTTP concepts are expected. Each handler is responsible
  for setting the binding.
* add some constants needed for ECP

https://fedorahosted.org/ipsilon/ticket/4

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Update Copyright header point to COPYING file 2015-05-08T15:00:48+00:00 Rob Crittenden rcritten@redhat.com 2015-05-08T02:40:19+00:00 cfe24fa3dc15d87f3ace944a2d62a0f4c5ee496c Point to a file containing the license rather than including it in every single source file. This will make it easier to manage the license in the future without another humongous commit. https://fedorahosted.org/ipsilon/ticket/126 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Point to a file containing the license rather than including
it in every single source file. This will make it easier to
manage the license in the future without another humongous
commit.

https://fedorahosted.org/ipsilon/ticket/126

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add db.conn.log option to suppress sql logs by default 2015-05-07T20:08:04+00:00 Rob Crittenden rcritten@redhat.com 2015-05-07T19:51:23+00:00 abcefb0f2eece549371f951b58144188d2ac9307 The Store logging is quite verbose with a flurry of init and destroy messages with each session. Setting db.conn.log to False (default) will suppress these. If one needs to do connection tracing it can be enabled. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
The Store logging is quite verbose with a flurry of
init and destroy messages with each session. Setting
db.conn.log to False (default) will suppress these. If one
needs to do connection tracing it can be enabled.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
pylint 1.4.3 version fixes 2015-05-07T18:44:20+00:00 Simo Sorce simo@redhat.com 2015-05-07T16:33:40+00:00 1bcc0d697dd37a9268641f0cbaa7e9e781552233 Pylint 1.4.3 completely stopped recognizing the star-args condition. In order to avoid pylint error with > 1.4.3 stop caring for star-args and add cmdline option to ignore those errors completly so older pylint versions are happy too. Also fix type() vs isinstance() checks, isinstance is generally a more correct approach to check for classes. In some 'admin' files the type() -> isinstance() fix required to invert the order in which ComplexList and MappingList are checked as the latter is a subclass of ComplexList, so it needs to be checked first otherwise the check for isinstance(option, ComplexList) matches for both and the code stops functioning properly. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Pylint 1.4.3 completely stopped recognizing the star-args condition.
In order to avoid pylint error with > 1.4.3 stop caring for star-args
and add cmdline option to ignore those errors completly so older pylint
versions are happy too.

Also fix type() vs isinstance() checks, isinstance is generally a more
correct approach to check for classes.

In some 'admin' files the type() -> isinstance() fix required to invert
the order in which ComplexList and MappingList are checked as the latter
is a subclass of ComplexList, so it needs to be checked first otherwise
the check for isinstance(option, ComplexList) matches for both and the
code stops functioning properly.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Use python logging in install / log cherrypy at right severity 2015-05-07T14:44:23+00:00 Rob Crittenden rcritten@redhat.com 2015-04-21T22:19:17+00:00 aa5dc3b417db962a075a092d0d3528010c1059f7 This replaces the print statements in the installer code with a python logger so we can log all output to the installer log and a subset of it to stdout in one step without duplication. The cherrypy.log.error() logs to the "error" log at a severity of logging.INFO by default. Set an appropriate log level for these as well. https://fedorahosted.org/ipsilon/ticket/35 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This replaces the print statements in the installer code with
a python logger so we can log all output to the installer log
and a subset of it to stdout in one step without duplication.

The cherrypy.log.error() logs to the "error" log at a severity
of logging.INFO by default. Set an appropriate log level for
these as well.

https://fedorahosted.org/ipsilon/ticket/35

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Drop usage of self._debug and use self.debug instead 2015-05-05T18:32:24+00:00 Rob Crittenden rcritten@redhat.com 2015-04-29T17:57:34+00:00 158c4cdefc0bd5b8dabe38685c1bebccc24d656b This method was deprecated but still used in a lot of places. https://fedorahosted.org/ipsilon/ticket/120 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This method was deprecated but still used in a lot of places.

https://fedorahosted.org/ipsilon/ticket/120

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Disallow iframes via X-Frame-Options and CSP by default 2015-04-24T17:10:34+00:00 Rob Crittenden rcritten@redhat.com 2015-04-23T20:42:27+00:00 44f663ac7dc5a6f28b25b083a21f6d9e912cff92 A decorator, allow_iframe, is also created so that specific pages can remove the deny values and allow operating within a frame. The Persona plugin relies on iframes and uses this decorator for all endpoints. https://fedorahosted.org/ipsilon/ticket/15 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.

The Persona plugin relies on iframes and uses this decorator
for all endpoints.

https://fedorahosted.org/ipsilon/ticket/15

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>