| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Add a logout to the postgres test to ensure that sessions are
updated properly on logout.
Fix the name in the tests, it was test1.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use a SAML2 plugin specific option to specify the database uri
for sessions.
Use a much more robust method to find sessions that need
expiration (thanks Patrick).
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Run a cherrypy background task to sift through the sessions
database and find expired entries and remove them.
From my testing if a previous execution of the background task
is still executing when the next one is scheduled to run, it will
skip it. In other words, you can't end up with multiple expirations
running at the same time.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This moves the order in which the "fake" session is created and
it gives it a unique ID rather than using a fixed value.
Rely on the LogoutRequest request ID so we can get the
order of logout correct.
The basic idea is a logout request is created for the IdP
containing the URL of the IdP itself as the RelayState. A
session is picked and a LogoutRequest generated and sent.
There will be a LogoutRequest/LogoutResponse back and forth
until there are no more sessions to log out. The last
session will be this "fake" session that started it all
and the user will be redirected to the main page of the IdP.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is functionally the same. The primary differences are:
- When logging out, fetch all requested session indexes in the
LogoutRequest.
- Store the LogoutRequest request ID to be used later when a
LogoutResponse is received to look up the logout.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use the updated session API to create a SAML2 session.
Note that each session is stored discretely. Previously if
a session for a provider already existed then that one session
held all the session indexes. Now if a new session comes in
it is added separately. During logout all sessions for a provider
are retrieved and all logged-in sessions sent to the SP to
log out.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The basic session API remains the same, just replace
the calls to pull data out of the user session to
instead pull from the database.
The per-session logout state is now a constant rather than
being a member of either the logged_in or logging_out
dictionaries.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Store SAML2 session information in a table rather than with the
user entry so sessions can be persisted past IdP restarts and if
the user accesses the system via multiple browsers SLO will log
out all sessions, not just the user session that initiated the
logout.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This should make it revert any changes it made during
installation.
https://fedorahosted.org/ipsilon/ticket/67
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This will make it possible for plugins to register what they
have changed during installation, so that they can revert
any changes they made during the uninstallation.
https://fedorahosted.org/ipsilon/ticket/67
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
With this skeleton code we can add upgrade code
if we ever change the database schema.
https://fedorahosted.org/ipsilon/ticket/56
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
and other HTTP concepts are expected. Each handler is responsible
for setting the binding.
* add some constants needed for ECP
https://fedorahosted.org/ipsilon/ticket/4
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Point to a file containing the license rather than including
it in every single source file. This will make it easier to
manage the license in the future without another humongous
commit.
https://fedorahosted.org/ipsilon/ticket/126
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If you didn't provide credentials at all at the form by
pressing ENTER then a 500 error would be thrown rather
than an authentication error.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
It was storing a python boolean which saved as integer 1
but when reading the data the Condition translates text into
a python native value.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The Store logging is quite verbose with a flurry of
init and destroy messages with each session. Setting
db.conn.log to False (default) will suppress these. If one
needs to do connection tracing it can be enabled.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The recent RPM package restructing introduced some problems with
the ownership of /etc/ipsilon and /var/lib/ipsilon. These were
previously owned by the 'ipsilon' user, but the changes resulted
in the ownership being set as root since the 'ipsilon' user was
not yet created when the directories were installed.
While discussing this problem, it was determined that we should
have the ownership of these directories be root, but allow other
users to traverse through them so they can access subdirectories
that they have permissions on.
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pylint 1.4.3 completely stopped recognizing the star-args condition.
In order to avoid pylint error with > 1.4.3 stop caring for star-args
and add cmdline option to ignore those errors completly so older pylint
versions are happy too.
Also fix type() vs isinstance() checks, isinstance is generally a more
correct approach to check for classes.
In some 'admin' files the type() -> isinstance() fix required to invert
the order in which ComplexList and MappingList are checked as the latter
is a subclass of ComplexList, so it needs to be checked first otherwise
the check for isinstance(option, ComplexList) matches for both and the
code stops functioning properly.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This was originally getting the principal from the
user object itself which meant it was looking for
it in the database. Look in the attributes instead
which are stored in the user session.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Since there is now an easy way to stand up a KDC in the
tests go ahead and enable it so the Kerberos NameID can be
tested.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using nss_wrappers so we can control host names we can
setup a KDC and test GSSAPI, including fallback to
forms-based auth.
This also means that fetch_page() needs to handle 401
a bit better, so it can re-try a failed authentication or
fall back to forms-based auth.
Note for posterity: if gss_localname() fails this is likely
due to using the wrong krb5.conf in Apache, so pass in all
environment variables.
The KDC setup code was based heavily on the tests in the
gssproxy project.
https://fedorahosted.org/ipsilon/ticket/116
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This replaces the print statements in the installer code with
a python logger so we can log all output to the installer log
and a subset of it to stdout in one step without duplication.
The cherrypy.log.error() logs to the "error" log at a severity
of logging.INFO by default. Set an appropriate log level for
these as well.
https://fedorahosted.org/ipsilon/ticket/35
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
These three lines were ostensibly storing various elements
of configuration but were in fact creating a new dict
each time, wiping out all previous elements.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SSSD info plugin configures SSSD and modules in
Apache as root during installation. This cannot be
done in the UI so we must not allow users to modify
the state if it was not "preconfigured" during
install.
If it has been configured then users are allowed
to enable/disable the plugin.
This is controlled by a value stored in the
info_config table, preconfigured.
The plugin configuration is hidden from the UI by
overridding the get_config_object() method.
https://fedorahosted.org/ipsilon/ticket/111
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This method was deprecated but still used in a lot of places.
https://fedorahosted.org/ipsilon/ticket/120
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Having separate login and info plugins configuration pages doesn't
really make a lot of sense. As a first step moving towards login stacks
put login and info plugin configuration into a common "Login Stack"
menu item.
https://fedorahosted.org/ipsilon/ticket/117
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.
https://fedorahosted.org/ipsilon/ticket/114
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/114
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is so the OS gets enough time to clean up all
of the sockets used during the execution of the test.
Without this, sometimes a "port already in use" error
will fail the next test.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
| |
Without this, the browser will refuse to load the scheme.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This tests core OpenID and the Attribute Exchange,
Simple Registration and Teams extensions.
Using a small wsgi tool because mod_auth_openid does
not support all extensions.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
| |
This makes sure that _display returns a dict, and that
the result from _resp can still be passed to addExtension
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When I moved the ipsilon command from /usr/sbin to /usr/libexec
I missed updating the Apache configuration.
https://fedorahosted.org/ipsilon/ticket/119
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the form case there is no way to automatically fallback to
other auth methods or even repeat transparent methods.
Add a simple list of alternative auth methods under the description
box so that the user can easily switch back and forth between them
if desired.
Fixes: https://fedorahosted.org/ipsilon/ticket/96
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
mod_auth_gssapi provides by default the local name in
REMOTE_USER and the full principal in GSS_NAME. Grab a
copy of that principal for krb_principal_name.
https://fedorahosted.org/ipsilon/ticket/115
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.
The Persona plugin relies on iframes and uses this decorator
for all endpoints.
https://fedorahosted.org/ipsilon/ticket/15
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change configuration on new installs only.
Enable GssapiLocalName so we have access to the local name in
REMOTE_USER and the full principle in GSS_NAME.
Enable GssapiSSLonly even though SSLRequireSSL is also set.
The belt and suspenders principla.
https://fedorahosted.org/ipsilon/ticket/89
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This command is not intended to be executed by end-users.
https://fedorahosted.org/ipsilon/ticket/76
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This will close any opened database sessions at the end
of the request.
https://fedorahosted.org/ipsilon/ticket/110
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The purpose is to catch it when either no modules are enabled or if
you try to set the login module order and one of them is not
available/installed, then fail gracefully.
There were some baked-in assumptions that all login providers
are installed. Add some error handling around trying to determine
what is available, and rather than trying to force pam to be enabled
just exit with a handy message.
Don't rely on lm_order during uninstall. Use the list of enabled
Login managers instead.
Bail out of argument checking if uninstall is requested.
https://fedorahosted.org/ipsilon/ticket/105
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This was caused by running the tooltip() function against
the document object, while it should be ran against the
objects that use a tooltip.
This new method is the suggested way to enable tooltips
per http://getbootstrap.com/javascript/#tooltips-examples.
https://fedorahosted.org/ipsilon/ticket/98
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This buidls up a specific global mapping and allowed attributes then
creates an SP-specific configuration which differs enough to confirm
that it is in fact overriding the default. It finishes by removing the
per-SP configuration and ensuring that it falls back to the IdP-default.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Provide more variables to test for in allow attribute and mapping
testing.
Adds givenname (Test User), surname (the username) and
email (username@example.com).
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
If you created rule(s) in an SP for either allowed attributes or
attribute mapping there was no way to remove the last rule meaning
it could never go back to use the global defaults.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The page is built up using the option_config.html template now.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
