ipsilon.git/tests, branch rowmagic The Ipsilon project Validate SP names for admin pages and REST 2015-04-02T03:18:39+00:00 Nathan Kinder nkinder@redhat.com 2015-04-02T00:36:22+00:00 8ffd2629c6554124e7e3b15dce10275a2efd8261 We were previously only validating the SP name in the admin pages for SP creation and update. The REST API would allow a SP to be created with an invalid name, which would break the ability to manage that SP in the admin pages. This patch moves the SP name validation logic out of the admin page code and centralizes it in the provider creation code. This ensures that validation will occur regardless of the interface that is used. In addition, a helper method is added to allow the admin page to check if a name is valid during update operations. https://fedorahosted.org/ipsilon/ticket/102 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We were previously only validating the SP name in the admin pages
for SP creation and update.  The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.

This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code.  This
ensures that validation will occur regardless of the interface
that is used.  In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.

https://fedorahosted.org/ipsilon/ticket/102

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Allow SP registration from ipsilon-client-install 2015-04-02T02:54:20+00:00 Nathan Kinder nkinder@redhat.com 2015-03-31T02:36:04+00:00 9600cff7a3f93529ab56044968b489030f74b76c This optionally allows a SAML SP to be registered with the IDP when running ipsilon-client-install. To register an SP, the following options are used: --saml-idp-url (Ipsilon IDP URL) --saml-sp-name (Name to register the SP as) --admin-user (Ipsilon admin user) --admin-password (Ipsilon admin password file) If the --saml-idp-url option is set, we attempt to register the SP. The --saml-sp-name option is required if you are registering a SP. The --admin-user already defaults to admin, so it only needs to be specified if your admin user has a different username. If the --admin-password option is not specified, we prompt for the password. The --saml-idp-metadata was previously required, but this option is redundant if the new --saml-idp-url option is specified and you are not using a local copy of the IDP metadata. You can now just use the --saml-idp-url option, and we build the metadata URL from it. This helps to minimize the number of required options when you are registering an SP during installation. https://fedorahosted.org/ipsilon/ticket/101 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
This optionally allows a SAML SP to be registered with the IDP when
running ipsilon-client-install.  To register an SP, the following
options are used:

  --saml-idp-url   (Ipsilon IDP URL)
  --saml-sp-name   (Name to register the SP as)
  --admin-user     (Ipsilon admin user)
  --admin-password (Ipsilon admin password file)

If the --saml-idp-url option is set, we attempt to register the SP.
The --saml-sp-name option is required if you are registering a SP.
The --admin-user already defaults to admin, so it only needs to be
specified if your admin user has a different username.  If the
--admin-password option is not specified, we prompt for the password.

The --saml-idp-metadata was previously required, but this option is
redundant if the new --saml-idp-url option is specified and you are
not using a local copy of the IDP metadata.  You can now just use
the --saml-idp-url option, and we build the metadata URL from it.
This helps to minimize the number of required options when you are
registering an SP during installation.

https://fedorahosted.org/ipsilon/ticket/101

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
IdP-initiated logout for current user 2015-04-02T02:53:55+00:00 Rob Crittenden rcritten@redhat.com 2015-03-30T15:42:10+00:00 5497278fab59361c5b6bc5d3c17407128b924b9a Perform Single Logout for the current user when a logout is initiated in the IdP. A fake initial session is created. In the current logout code the initial logout requestor holds the final redirect URL. In this case it redirects back to the root IdP page. https://fedorahosted.org/ipsilon/ticket/87 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Perform Single Logout for the current user when a logout is initiated
in the IdP.

A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.

https://fedorahosted.org/ipsilon/ticket/87

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Add options to explicitly set database uris during install 2015-03-30T18:20:11+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-03-30T14:38:10+00:00 3fd51fe0d4593cdc39c28f11deafe27845f25584 Also offer the option to set the OpenID database URI during install https://fedorahosted.org/ipsilon/ticket/17 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
Also offer the option to set the OpenID database URI during install

https://fedorahosted.org/ipsilon/ticket/17

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add tests for Name ID functionality 2015-03-24T13:42:24+00:00 Rob Crittenden rcritten@redhat.com 2015-03-19T19:20:28+00:00 0f56ef9942ee631a9306806bea8f3bb8e7b81076 Some Name ID formats are not implemented so are expected to fail. Kerberos is implemented but the test is done using form authentication so no Kerberos principal is available so authentication is denied. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Some Name ID formats are not implemented so are expected to fail.

Kerberos is implemented but the test is done using form authentication
so no Kerberos principal is available so authentication is denied.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent 2015-03-23T22:00:15+00:00 Rob Crittenden rcritten@redhat.com 2015-03-19T19:15:26+00:00 217cabe5a2b0950b9ac4090568aa8986d51f4fc5 This also makes persistent the default NameID format when generating metadata. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
This also makes persistent the default NameID format when generating
metadata.

https://fedorahosted.org/ipsilon/ticket/27

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Add LDAP test 2015-03-23T14:44:25+00:00 Simo Sorce simo@redhat.com 2015-03-18T00:25:18+00:00 cacb41e93b377496e77f824f4f1b0ce206da0bed This finally tests the LDAP login/info plugins as well as the special "groups" attribute. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
This finally tests the LDAP login/info plugins as well as the special
"groups" attribute.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add negative authentication test 2015-03-18T00:37:55+00:00 Simo Sorce simo@redhat.com 2015-03-18T00:18:21+00:00 2b9b1190fdca8dc94d0a7d7f5f00d8084f729127 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Fix some pylint warnings in logout test about shadowing variables. 2015-03-16T20:54:15+00:00 Rob Crittenden rcritten@redhat.com 2015-03-16T20:39:02+00:00 bae1c5592da11f1fb2b9930730cf6acae942f3dc Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Add test for multi-SP logout 2015-03-16T17:47:45+00:00 Rob Crittenden rcritten@redhat.com 2015-03-04T22:49:40+00:00 e46c8f615f867d09ce76ee269b0ba81445ad320b Create an additional SP, log into one, fetch the other and the client is now logged into both. Log out of the first one and the client is logged out of both. https://fedorahosted.org/ipsilon/ticket/58 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com> 
Create an additional SP, log into one, fetch the other and
the client is now logged into both. Log out of the first one
and the client is logged out of both.

https://fedorahosted.org/ipsilon/ticket/58

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>