summaryrefslogtreecommitdiffstats
path: root/ipsilon/providers
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2015-01-19 17:47:56 -0500
committerPatrick Uiterwijk <puiterwijk@redhat.com>2015-01-29 20:06:51 +0100
commit0d5c4ff5229880b6eba12a4e7e5bfbab2f415caa (patch)
tree49635c00dd383fdf385110b603662d4007266640 /ipsilon/providers
parentc9ce29a7610b8b2232422623e28d35417b81fe76 (diff)
downloadipsilon-0d5c4ff5229880b6eba12a4e7e5bfbab2f415caa.tar.gz
ipsilon-0d5c4ff5229880b6eba12a4e7e5bfbab2f415caa.tar.xz
ipsilon-0d5c4ff5229880b6eba12a4e7e5bfbab2f415caa.zip
Add expiration to Idp metadata
Also regenerate it frequently, so that any change in configuration can be automatically reflected in the metadata downloaded my clients over time. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Diffstat (limited to 'ipsilon/providers')
-rw-r--r--ipsilon/providers/saml2idp.py37
1 files changed, 32 insertions, 5 deletions
diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py
index 298a205..1778307 100644
--- a/ipsilon/providers/saml2idp.py
+++ b/ipsilon/providers/saml2idp.py
@@ -26,8 +26,10 @@ from ipsilon.util.user import UserSession
from ipsilon.util.plugin import PluginObject
from ipsilon.util import config as pconfig
import cherrypy
+from datetime import timedelta
import lasso
import os
+import time
class Redirect(AuthenticateRequest):
@@ -96,15 +98,39 @@ class SSO(ProviderPageBase):
self.Continue = Continue(*args, **kwargs)
+# one week
+METADATA_RENEW_INTERVAL = 60 * 60 * 24 * 7
+# 30 days
+METADATA_VALIDITY_PERIOD = 30
+
+
class Metadata(ProviderPageBase):
def GET(self, *args, **kwargs):
- with open(self.cfg.idp_metadata_file) as m:
- body = m.read()
+
+ body = self._get_metadata()
cherrypy.response.headers["Content-Type"] = "text/xml"
cherrypy.response.headers["Content-Disposition"] = \
'attachment; filename="metadata.xml"'
return body
+ def _get_metadata(self):
+ if os.path.isfile(self.cfg.idp_metadata_file):
+ s = os.stat(self.cfg.idp_metadata_file)
+ if s.st_mtime > time.time() - METADATA_RENEW_INTERVAL:
+ with open(self.cfg.idp_metadata_file) as m:
+ return m.read()
+
+ # Otherwise generate and save
+ idp_cert = Certificate()
+ idp_cert.import_cert(self.cfg.idp_certificate_file,
+ self.cfg.idp_key_file)
+ meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
+ timedelta(METADATA_VALIDITY_PERIOD))
+ body = meta.output()
+ with open(self.cfg.idp_metadata_file, 'w+') as m:
+ m.write(body)
+ return body
+
class SAML2(ProviderPageBase):
@@ -244,8 +270,8 @@ Provides SAML 2.0 authentication infrastructure. """
class IdpMetadataGenerator(object):
- def __init__(self, url, idp_cert):
- self.meta = metadata.Metadata(metadata.IDP_ROLE)
+ def __init__(self, url, idp_cert, expiration=None):
+ self.meta = metadata.Metadata(metadata.IDP_ROLE, expiration)
self.meta.set_entity_id('%s/saml2/metadata' % url)
self.meta.add_certs(idp_cert, idp_cert)
self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-post'],
@@ -292,7 +318,8 @@ class Installer(object):
if opts['secure'].lower() == 'no':
proto = 'http'
url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
- meta = IdpMetadataGenerator(url, cert)
+ meta = IdpMetadataGenerator(url, cert,
+ timedelta(METADATA_VALIDITY_PERIOD))
if 'krb' in opts and opts['krb'] == 'yes':
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)