summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix error returned from login pluginsSimo Sorce2015-03-175-0/+7
| | | | | | | | | | | Some login plugins use form based authentication and let the user retry on authentication errors. This is fine, however the wrong error code is returned in this case, 401 should be returned. Fixes: https://fedorahosted.org/ipsilon/ticket/94 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Make SSSD Info enable the httpd_dbus_sssd boolean.Patrick Uiterwijk2015-03-171-0/+7
| | | | | | | https://fedorahosted.org/ipsilon/ticket/23#comment:13 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Build dated RPMs by defaultPatrick Uiterwijk2015-03-162-3/+8
| | | | | | | | This stores the build date and git commit in the version. This way, it's a lot easier to determine when it was last built. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Save user attributes on subsequent calls to login.Rob Crittenden2015-03-161-0/+2
| | | | | | | | | | | | | | | | | When a login comes in via the remote_login() call no user attributes are set. These may be later filled in by a subsequent call to login() after the info plugins are called but a short-circuit in that function exits if the user matches the current session. Add an extra conditional such that if the user matches, userattributes are passed in and the current user attributes for this user is empty then save the new data. https://fedorahosted.org/ipsilon/ticket/86 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Use the IPA API directly when adding the HTTP principalRob Crittenden2015-03-162-30/+49
| | | | | | | | | | | | | | This is the only way to force in a custom version string so that the remote IPA server doesn't reject the request as being newer than the server. This also removes the need to iterate over all servers as the IPA connection API does this automatically. https://fedorahosted.org/ipsilon/ticket/47 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Fix some pylint warnings in logout test about shadowing variables.Rob Crittenden2015-03-161-3/+4
| | | | | Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Add test for multi-SP logoutRob Crittenden2015-03-162-1/+119
| | | | | | | | | | | Create an additional SP, log into one, fetch the other and the client is now logged into both. Log out of the first one and the client is logged out of both. https://fedorahosted.org/ipsilon/ticket/58 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Set MALLOC_CHECK_ and MALLOC_PERTURB_ to catch memory problemsRob Crittenden2015-03-161-0/+3
| | | | | | | | | MALLOC_CHECK_ set to 3 should abort if a memory problem is found. MALLOC_PERTURB_ should catch any usage of freed memory. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Enable Apache access log and core dump in testsRob Crittenden2015-03-161-0/+7
| | | | | Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Don't explicitly save sessionsNathan Kinder2015-03-121-4/+0
| | | | | | | | | | | | | | | | | Saving a session causes it to be unlocked, but sessions have a hook that also performs a save just before the session is finalized. In CherryPy 3.3.0 and later, an assertion was added to ensure that a session is locked when trying to perform a save. Since we perform explicit saves in our code, this causes the assertion to be tripped when the hook executes. This patch removes our explicit save calls. We should rely on the hook to save and unlock the session. https://fedorahosted.org/ipsilon/ticket/84 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Proper fallback from referer to REQUEST_URISimo Sorce2015-03-121-2/+4
| | | | | | | | | | | | If the referer is present but does not contain a transaction ID we still need to fallback to the REQUEST_URI. Fix the code to check the url and then fallback to REQUEST_URI rathe than decide upfront merely on the fact a referer is available. https://fedorahosted.org/ipsilon/ticket/74 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Validate SP path settings during installationNathan Kinder2015-03-111-0/+21
| | | | | | | | | | | | | | | | | | | | | | There are a number of URL path options that can be specified as options when running ipsilon-client-install. There are certain rules that must be followed to result in a valid mod_auth_mellon configuration: - All path options must be prefixed with '/'. - The mellon endpoint path (--saml-sp) must be a subpath of the httpd 'Location' element is it contained within (--saml-base). - The logout (--saml-sp-logout) and post (--saml-sp-post) paths must be subpaths of the mellon endpoint (--saml-sp). This adds validation for all of the above rules. https://fedorahosted.org/ipsilon/ticket/82 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add mod_wsgi display name for Ipsilon WSGI processNathan Kinder2015-03-111-1/+1
| | | | | | | | | | | | This adds the mod_wsgi display-name setting to allow the Ipsilon WSGI process to show up with a useful process name instead of 'httpd'. This allows one to easily distinguish the WSGI process from other httpd processes. https://fedorahosted.org/ipsilon/ticket/62 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Add Cache-Control header to prevent browser caching of SAML auth locationNathan Kinder2015-03-101-0/+1
| | | | | | | | | | | | | We should prevent browser caching of the SAML auth location that we configure for an SP. This can be easily done by adding the following directive to that location in the httpd config: Header append Cache-Control "no-cache" https://fedorahosted.org/ipsilon/ticket/81 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Require SSL on SP when using --saml-secure-setupNathan Kinder2015-03-102-1/+14
| | | | | | | | | | | | | | | | If ipsilon-client-install is used with the --saml-secure-setup option (which is set by default), only https connections will work for authentication. We are not setting the SSLRequireSSL directive though, so we set mellon up to fail. This patch adds the SSLRequireSSL directive to the SP config when --saml-secure-setup is specified. In addition, we add a rewrite rule to rewrite http requests to https for the SP. https://fedorahosted.org/ipsilon/ticket/80 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Find transaction ids for internal redirectsSimo Sorce2015-03-061-2/+8
| | | | | | | | | | | On internal redirections, such as when ErrorDocument is used to redirect on failed negotiate authentication we need to look harder for the transaction id. Ticket: #74 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Fix transaction ID passing for failed authenticationPatrick Uiterwijk2015-03-031-3/+6
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Require admin when accessing REST pagesRob Crittenden2015-03-032-0/+8
| | | | | Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Install and package the new REST componentsRob Crittenden2015-03-032-2/+3
| | | | | Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add test for REST Service Provider GET and POSTRob Crittenden2015-02-273-9/+301
| | | | | | | | | | | | | | | | Provision two Service Providers then test: - We can fetch a blank list of SPs - Add an SP via the admin interface - We get list of all SPs and that is it - Add an SP via POST - We get list of all SPs and now there are two - We get a specific SP and confirm we got the right one. https://fedorahosted.org/ipsilon/ticket/26 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Break out getting SP metadata into a separate test helperRob Crittenden2015-02-271-3/+8
| | | | | | | | | This allows us to get the metadata for creation via REST POST https://fedorahosted.org/ipsilon/ticket/26 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Load and initialize REST in the SAML2 pluginRob Crittenden2015-02-271-0/+3
| | | | | | | https://fedorahosted.org/ipsilon/ticket/26 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Implement GET and POST REST API for Service ProvidersRob Crittenden2015-02-271-0/+107
| | | | | | | | | | | | | The mount point is /idp/rest/providers/saml2/SPS. GET .../SPS will retrieve all Service Providers GET .../SPS/foo will retrieve the Service Provider named foo POST .../SPS/foo will create the Service Provider named foo https://fedorahosted.org/ipsilon/ticket/26 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Load REST plugins onto the Root objectRob Crittenden2015-02-271-0/+4
| | | | | | | https://fedorahosted.org/ipsilon/ticket/26 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add base REST provider framework classesRob Crittenden2015-02-274-0/+141
| | | | | | | | | | | These classes handle mounting the REST plugins. The starting mount point is: /idp/rest/providers https://fedorahosted.org/ipsilon/ticket/26 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Change root class of Page from Log to EndpointRob Crittenden2015-02-271-2/+3
| | | | | Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Low-level class for managing request endpointsRob Crittenden2015-02-271-0/+82
| | | | | | | | | | | An Endpoint is different from a Page in that it doesn't have menus, templates, transactions, etc. It is only defines a URL that can be mounted. https://fedorahosted.org/ipsilon/ticket/38 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Bump version numbers for release v0.4.0Patrick Uiterwijk2015-02-272-3/+6
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Add uninstallation support.Patrick Uiterwijk2015-02-2615-31/+147
| | | | | | | | | As part of this, made all plugins use a Installer baseclass. https://fedorahosted.org/ipsilon/ticket/38 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Avoid attrs test flakines, stop using info_nssSimo Sorce2015-02-241-4/+2
| | | | | | | | | authtest already sets the fullname attribute, just use that one instead of relying on nss which, on test systems may have a completely empty gecos field, which makes the test fail. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Split tools between components that require themPatrick Uiterwijk2015-02-241-1/+5
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com>
* __init__ needs to be in the main packagePatrick Uiterwijk2015-02-241-2/+1
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Bump spec filePatrick Uiterwijk2015-02-241-1/+5
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Do not require ipsilon-toolsPatrick Uiterwijk2015-02-241-1/+0
| | | | | | | If you want to install without the installer, it's not required Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Split the installer into -toolsPatrick Uiterwijk2015-02-241-4/+4
| | | | | | | The installer is not needed if you deploy with config management Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Split off authformPatrick Uiterwijk2015-02-241-2/+15
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make the configparser case sensitive.Patrick Uiterwijk2015-02-241-0/+1
| | | | | | | | Per the instructions of https://docs.python.org/2/library/configparser.html#ConfigParser.RawConfigParser.optionxform Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make available case insensitive mapping matchingSimo Sorce2015-02-241-19/+96
| | | | | | | | | | | | If ignore_case is True then the incomping attributes are matched case-insensitively in the policy engine. The CAse of the incoming attribute is not changed on wildcard matches. On ther matches attributes will be replaced according to the mapping tables and the case used will be that of the mapped attributes. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Use the new Policy engine for login/info mappingSimo Sorce2015-02-245-64/+45
| | | | | | | | The InfoMapping class is now only used to prettify the default set of wellknown attributes. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add dynamic list to plugin_config formsSimo Sorce2015-02-242-4/+40
| | | | | | | | | This little javascript allows us to dyamically add form fields in the ComplexList and MappingList tables. Makes it much easier to add elements to these lists. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Handle changing MappingList optionsSimo Sorce2015-02-241-0/+85
| | | | | | | | Add admin function to handle getting a MappingList object in form of key/value pair fields. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Handle changing ComplexList optionsSimo Sorce2015-02-241-0/+67
| | | | | | | | Add admin function to handle getting a ComplexList object in form of key/value pair fields. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Do not crash on failure to load configSimo Sorce2015-02-241-1/+5
| | | | | | | Just report an error and continue with default values. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add support for new options to plugin_config.htmlSimo Sorce2015-02-241-1/+56
| | | | | | | | This add support in the template for showing ComplexList and MappingList options. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add support for attribute policies in openidpSimo Sorce2015-02-243-3/+30
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add support for attribute policies in samlidpSimo Sorce2015-02-242-2/+25
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add config option to load mapping listsSimo Sorce2015-02-241-1/+47
| | | | | | | This requires careful handling, and should be used sparingly Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add Policy class to help filter attributesSimo Sorce2015-02-242-0/+320
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Prefix userdata hives with _ to avoid conflictsSimo Sorce2015-02-248-48/+41
| | | | | | | | | | | The main userdata dict contains common attributes, but we add a sepcial groups list and unmapped extras, as well as indicators like auth_type. All these additional attributes are now prefixed by a _ character so that conflicts with legitimate attributes are improbable. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Change attrs test to check for fullnameSimo Sorce2015-02-241-7/+3
| | | | | | | | We are not going to return 'extras' by default, and the only nss attribute mapped to the 'userdata' space is the gecos (as 'fullname') Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>