summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix sticter lint checksHEADmasterSimo Sorce2015-04-171-2/+2
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Use mod_auth_gssapi instead of mod_auth_kerbRob Crittenden2015-04-174-26/+20
| | | | | | | | | | | | | | | Change configuration on new installs only. Enable GssapiLocalName so we have access to the local name in REMOTE_USER and the full principle in GSS_NAME. Enable GssapiSSLonly even though SSLRequireSSL is also set. The belt and suspenders principla. https://fedorahosted.org/ipsilon/ticket/89 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Move ipsilon WSGI script from /usr/sbin to /usr/libexecRob Crittenden2015-04-152-3/+4
| | | | | | | | | This command is not intended to be executed by end-users. https://fedorahosted.org/ipsilon/ticket/76 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Release v0.6.0Patrick Uiterwijk2015-04-152-2/+5
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Close database sesssionsPatrick Uiterwijk2015-04-153-3/+48
| | | | | | | | | | This will close any opened database sessions at the end of the request. https://fedorahosted.org/ipsilon/ticket/110 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Better error handling for login mgrs in server install/uninstallRob Crittenden2015-04-131-8/+9
| | | | | | | | | | | | | | | | | | | | | The purpose is to catch it when either no modules are enabled or if you try to set the login module order and one of them is not available/installed, then fail gracefully. There were some baked-in assumptions that all login providers are installed. Add some error handling around trying to determine what is available, and rather than trying to force pam to be enabled just exit with a handy message. Don't rely on lm_order during uninstall. Use the list of enabled Login managers instead. Bail out of argument checking if uninstall is requested. https://fedorahosted.org/ipsilon/ticket/105 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix bootstrap tooltip errorPatrick Uiterwijk2015-04-131-1/+1
| | | | | | | | | | | | | This was caused by running the tooltip() function against the document object, while it should be ran against the objects that use a tooltip. This new method is the suggested way to enable tooltips per http://getbootstrap.com/javascript/#tooltips-examples. https://fedorahosted.org/ipsilon/ticket/98 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add test for per-SP allowed and mapping attributesRob Crittenden2015-04-104-0/+408
| | | | | | | | | | | | This buidls up a specific global mapping and allowed attributes then creates an SP-specific configuration which differs enough to confirm that it is in fact overriding the default. It finishes by removing the per-SP configuration and ensuring that it falls back to the IdP-default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make the authtest login plugin provide more infoRob Crittenden2015-04-101-1/+6
| | | | | | | | | | | | | Provide more variables to test for in allow attribute and mapping testing. Adds givenname (Test User), surname (the username) and email (username@example.com). https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* The last allowed/mapping rule can be removed in SPsRob Crittenden2015-04-103-25/+41
| | | | | | | | | | | If you created rule(s) in an SP for either allowed attributes or attribute mapping there was no way to remove the last rule meaning it could never go back to use the global defaults. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SAML SP template page is no longer neededRob Crittenden2015-04-101-69/+0
| | | | | | | | | The page is built up using the option_config.html template now. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add per-SP attribute mapping and allowed attributesRob Crittenden2015-04-103-124/+131
| | | | | | | | | | The per-SP values are considered overrides and the global values are default. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Rename and move PluginConfig to ConfigHelperRob Crittenden2015-04-107-51/+53
| | | | | | | | | | | The configuration class was originally intended to be tied. At this point it is quite generic and useful outside of plugins. Rename it to something more generic and move it into the config module. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Convert SAML2 SP Provider UI to use Config objectRob Crittenden2015-04-101-1/+91
| | | | | | | | | | This makes the look-and-feel the same between the SAML2 configuration and the per-SP configuration. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Move mapping and complex list helpers out of classRob Crittenden2015-04-101-146/+148
| | | | | | | | | | This is so other classes which are not an AdminPage can also have access to these helpers. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Rename plugin_config template to option_configRob Crittenden2015-04-101-2/+0
| | | | | | | | | | | | | | | Give the configuration template, which maps Config objects into HTML, a more generic name. Along with the rename this also drops the user.is_admin check so a user can manage their SP data. The backend still enforces writing. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Use disabled template for mappings and listsSimo Sorce2015-04-101-2/+40
| | | | | | | | | | | | | | This way lists and mappings can be empty and still allow cloning of the last row which is always disabled and hidden. The javascript now clones the last row then fixes the indexes in the new cloned row, and re-enables and un-hides the previous last which becomes a new empty row. https://fedorahosted.org/ipsilon/ticket/25 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Print exceptions when saving data fails in admin UIRob Crittenden2015-04-102-3/+6
| | | | | | | | | | | There were places where a broad exception was caught when saving administrative changes but the actual exception wasn't logged. The user was presented only with a 'Failed to save data!' message. https://fedorahosted.org/ipsilon/ticket/39 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Rework package setupPatrick Uiterwijk2015-04-101-34/+77
| | | | | | | | | This way you can install saml2 client without ipsilon-base. Also, -base is the server itself, ipsilon will give you the installer with it. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* This was renamed to _groups internallyPatrick Uiterwijk2015-04-102-3/+3
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* If sys.exit is called or SystemExit raised, don't display successRob Crittenden2015-04-101-0/+3
| | | | | | | | | | | | If sys.exit is called, which raises SystemExit, the finally at the end of the installer was treating it as a successful install and displaying messages to the user. Catch this exception and mark the install as failed to prevent this. https://fedorahosted.org/ipsilon/ticket/66 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Rename nss info plugin to match format of info+nameRob Crittenden2015-04-092-1/+1
| | | | | | | | | This also eliminates a namespace collision with python-nss https://fedorahosted.org/ipsilon/ticket/104 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Check if test deps are installedPatrick Uiterwijk2015-04-091-1/+31
| | | | | | https://fedorahosted.org/ipsilon/ticket/91 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Extend default SAML IdP metadata validity periodNathan Kinder2015-04-091-8/+26
| | | | | | | | | | | | | | | Our current default IdP metadata validity period is hardcoded to 30 days. This is very limiting for anything other than a test environment unless there is a way to allow SPs to automatically fetch updated metadata on a regular interval. This patch increases the default validity period to 5 years. In addition, a new option for ipsilon-server-install is provided to allow a different validity period to be specified. https://fedorahosted.org/ipsilon/ticket/103 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Suppress --config-profile option from installer script help outputNathan Kinder2015-04-062-2/+2
| | | | | | | | | | | | | The --config-profile option for the ipsilon-server-install and ipsilon-client-install commands is designed to be used by the in-tree functional tests. It is not meant to be used by users, but we are advertising the option in the help output. This patch suppresses the option from the help output. https://fedorahosted.org/ipsilon/ticket/37 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Add document on web app integration for SAMLNathan Kinder2015-04-061-0/+415
| | | | | | | | | | This adds documentation on recommended practices for integrating web applications with Ipsilon for SAML SSO. https://fedorahosted.org/ipsilon/ticket/43 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Validate SP names for admin pages and RESTNathan Kinder2015-04-013-11/+49
| | | | | | | | | | | | | | | | | | We were previously only validating the SP name in the admin pages for SP creation and update. The REST API would allow a SP to be created with an invalid name, which would break the ability to manage that SP in the admin pages. This patch moves the SP name validation logic out of the admin page code and centralizes it in the provider creation code. This ensures that validation will occur regardless of the interface that is used. In addition, a helper method is added to allow the admin page to check if a name is valid during update operations. https://fedorahosted.org/ipsilon/ticket/102 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Allow SP registration from ipsilon-client-installNathan Kinder2015-04-012-9/+133
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This optionally allows a SAML SP to be registered with the IDP when running ipsilon-client-install. To register an SP, the following options are used: --saml-idp-url (Ipsilon IDP URL) --saml-sp-name (Name to register the SP as) --admin-user (Ipsilon admin user) --admin-password (Ipsilon admin password file) If the --saml-idp-url option is set, we attempt to register the SP. The --saml-sp-name option is required if you are registering a SP. The --admin-user already defaults to admin, so it only needs to be specified if your admin user has a different username. If the --admin-password option is not specified, we prompt for the password. The --saml-idp-metadata was previously required, but this option is redundant if the new --saml-idp-url option is specified and you are not using a local copy of the IDP metadata. You can now just use the --saml-idp-url option, and we build the metadata URL from it. This helps to minimize the number of required options when you are registering an SP during installation. https://fedorahosted.org/ipsilon/ticket/101 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* IdP-initiated logout for current userRob Crittenden2015-04-014-3/+145
| | | | | | | | | | | | | | Perform Single Logout for the current user when a logout is initiated in the IdP. A fake initial session is created. In the current logout code the initial logout requestor holds the final redirect URL. In this case it redirects back to the root IdP page. https://fedorahosted.org/ipsilon/ticket/87 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* SP uninstall attempts to run installNathan Kinder2015-03-311-2/+2
| | | | | | | | | | | | When running 'ipsilon-client-install --uninstall' to uninstall a SP, we call the install routine again after completing the uninstallation. This leads to confusing error messages about missing required options. This patch corrects the uninstallation logic. https://fedorahosted.org/ipsilon/ticket/100 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Release v0.5.0Patrick Uiterwijk2015-03-302-2/+5
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Add options to explicitly set database uris during installPatrick Uiterwijk2015-03-305-9/+22
| | | | | | | | | Also offer the option to set the OpenID database URI during install https://fedorahosted.org/ipsilon/ticket/17 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Use all SSSD domains for info plugin by default.Rob Crittenden2015-03-271-11/+23
| | | | | | | | | | | | | | | | | Rather than requiring --info-sssd-domain as an argument make it an optional argument, defaulting to enabling all SSSD domains. Convert the argument from a single value into a list so that multiple invocations can be made and all domains in the list will be enabled. There is still the possibility that failures in configuring a domain will occur (no domain found, for example) and these are considered "soft" failures. That is it won't abort the server installation. https://fedorahosted.org/ipsilon/ticket/78 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add a method to Installer classes to validate argument inputRob Crittenden2015-03-275-0/+17
| | | | | | | | | | | | There was no way to validate argument input from plugins and cause the installer to bail out. If a plugin needs to validate some input it can use the validate_args() method and raise ConfigurationError() if an issue is found. https://fedorahosted.org/ipsilon/ticket/78 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Try to return a redirect instead a 400 for "not logged in" stateRob Crittenden2015-03-271-9/+43
| | | | | | | | | | | | If the user is not logged in and submits a valid logout request then just redirect the user to the RelayState in the request indicating that the logout was successful. This provides a better user experience. https://fedorahosted.org/ipsilon/ticket/88 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add tests for Name ID functionalityRob Crittenden2015-03-244-1/+356
| | | | | | | | | | | | Some Name ID formats are not implemented so are expected to fail. Kerberos is implemented but the test is done using form authentication so no Kerberos principal is available so authentication is denied. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make unspecified the default Name ID format, add to enabled listRob Crittenden2015-03-231-2/+3
| | | | | | | https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Allow user to specify Name ID format when configuring SP.Rob Crittenden2015-03-231-0/+4
| | | | | | | https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Implement urn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedRob Crittenden2015-03-232-2/+2
| | | | | | | | | Return the name the user authenticated with. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistentRob Crittenden2015-03-235-8/+33
| | | | | | | | | | This also makes persistent the default NameID format when generating metadata. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Implement urn:oasis:names:tc:SAML:2.0:nameid-format:transientRob Crittenden2015-03-231-2/+2
| | | | | | | | | NameQualifier and SPNameQualifier are optional and are not included. https://fedorahosted.org/ipsilon/ticket/27 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* When a new logout session is received, save old session idsRob Crittenden2015-03-232-1/+23
| | | | | | | | | | | | | | | When a new login session is received and an existing session exists in logout, save the old session IDs. These will be included in the sessions to logout of the SP. This will ensure that if the user clears their cookie cache, for example, that any previous sessions will also be logged out. https://fedorahosted.org/ipsilon/ticket/64 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* Add LDAP testSimo Sorce2015-03-237-2/+252
| | | | | | | | This finally tests the LDAP login/info plugins as well as the special "groups" attribute. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix fetching infoldap plugin groupsSimo Sorce2015-03-232-8/+44
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* set SELinux boolean httpd_can_connect_ldap when install infolap and authldapJohn Dennis2015-03-232-0/+18
| | | | | Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Set Cache-control on all generated pages, centralize in EndpointRob Crittenden2015-03-195-17/+4
| | | | | | | | | | See "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0" section 3.2.3.2. https://fedorahosted.org/ipsilon/ticket/7 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Assertion AttributeStatements must be non-emptyJohn Dennis2015-03-181-8/+11
| | | | | | | | | | | | | | | The saml-core-2.0-os specification section 2.7.3 requires the AttributeStatement element to be non-empty. Shibboleth verifies this and rejects assertions that do not comply. We gather attributes into a local dict first before adding them to the AttributeStatement so the fix is easy. Test if the dict is empty, move the initialization of the assertion AttributeStatement inside the test so it's conditional on whether the dict has members. https://fedorahosted.org/ipsilon/ticket/61 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Allow SP installation to be on non-standard portsNathan Kinder2015-03-182-4/+21
| | | | | | | | | | | | | | | When setting up a SP using ipsilon-client-install, there is no ability to use a non-standard port. We should allow a port number to be specified that results in the proper URLs in the SP metadata. This patch adds a --port option to ipsilon-client-install. This is used in the construction of the URLs used in the SP metadata as well as in the httpd redirect rules if httpd is being configured. https://fedorahosted.org/ipsilon/ticket/92 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Properly handle groups info in SAML providerSimo Sorce2015-03-171-0/+6
| | | | | | | | | Also removes internal attributes (any attribute that starts with _ Fixes: https://fedorahosted.org/ipsilon/ticket/71 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Add negative authentication testSimo Sorce2015-03-171-0/+10
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>