summaryrefslogtreecommitdiffstats
path: root/ipsilon/login
Commit message (Collapse)AuthorAgeFilesLines
* IdP-initiated logout for current userRob Crittenden2015-04-011-1/+18
| | | | | | | | | | | | | | Perform Single Logout for the current user when a logout is initiated in the IdP. A fake initial session is created. In the current logout code the initial logout requestor holds the final redirect URL. In this case it redirects back to the root IdP page. https://fedorahosted.org/ipsilon/ticket/87 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Add a method to Installer classes to validate argument inputRob Crittenden2015-03-271-0/+3
| | | | | | | | | | | | There was no way to validate argument input from plugins and cause the installer to bail out. If a plugin needs to validate some input it can use the validate_args() method and raise ConfigurationError() if an issue is found. https://fedorahosted.org/ipsilon/ticket/78 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add LDAP testSimo Sorce2015-03-231-1/+6
| | | | | | | | This finally tests the LDAP login/info plugins as well as the special "groups" attribute. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix fetching infoldap plugin groupsSimo Sorce2015-03-231-1/+15
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* set SELinux boolean httpd_can_connect_ldap when install infolap and authldapJohn Dennis2015-03-231-0/+9
| | | | | Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix error returned from login pluginsSimo Sorce2015-03-175-0/+7
| | | | | | | | | | | Some login plugins use form based authentication and let the user retry on authentication errors. This is fine, however the wrong error code is returned in this case, 401 should be returned. Fixes: https://fedorahosted.org/ipsilon/ticket/94 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
* Fix transaction ID passing for failed authenticationPatrick Uiterwijk2015-03-031-3/+6
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add uninstallation support.Patrick Uiterwijk2015-02-267-18/+40
| | | | | | | | | As part of this, made all plugins use a Installer baseclass. https://fedorahosted.org/ipsilon/ticket/38 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
* Use the new Policy engine for login/info mappingSimo Sorce2015-02-241-12/+11
| | | | | | | | The InfoMapping class is now only used to prettify the default set of wellknown attributes. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Prefix userdata hives with _ to avoid conflictsSimo Sorce2015-02-243-27/+27
| | | | | | | | | | | The main userdata dict contains common attributes, but we add a sepcial groups list and unmapped extras, as well as indicators like auth_type. All these additional attributes are now prefixed by a _ character so that conflicts with legitimate attributes are improbable. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix some copy-paste errors in help outputPatrick Uiterwijk2015-01-191-1/+1
| | | | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> https://fedorahosted.org/ipsilon/ticket/33
* Fix file permissions and remove shebang'sPatrick Uiterwijk2014-12-167-14/+0
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add support for Persona Identity ProviderPatrick Uiterwijk2014-11-141-2/+4
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix LDAP plugin configuration checksPatrick Uiterwijk2014-11-131-2/+2
| | | | | | | | Interpret config value correctly (it is a boolean now) Pass required argument Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Refactor plugin initialization and enablementSimo Sorce2014-11-127-157/+92
| | | | | | | | | | | | Move most plugin enablement and initialization code in plugin.py to reduce code duplication and simplify and unifify plugin enablement for all base plugin types (login, info, providers). This patch breaks backwards compatibility as it changes how the list of enabled plugins is stored in the database tables. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Refactor plugin configurationSimo Sorce2014-11-127-140/+123
| | | | | | | | | | | | | | | Fork a PluginConfig class out of PluginObject, the base object now supports a simple dictionary config, while using PluginConfig provide access to structured util.config based configuration. Change UI code that deal with plugins configuration to properly use the new structured config objects in order to represent data in appropriate format based on the data type. Use the new util.config objects to represent plugins configuration. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* In configure we do not need to set_config()Simo Sorce2014-11-126-16/+8
| | | | | | | | | All we care about in configure is to store the config in the db, so skip setting the config explicitly in the plugin object and go straight to the database. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix plugins enablement codeSimo Sorce2014-10-271-14/+12
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Reuse the AdminPlugins class for the providers tooSimo Sorce2014-10-271-0/+9
| | | | | | | This way we can remove even more duplicated code... \o/ Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Use self.log in authpam.pySimo Sorce2014-10-271-5/+4
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Map some common attributes from fas to userdataPatrick Uiterwijk2014-10-241-3/+17
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com>
* Return to provider if user cancels loginSimo Sorce2014-10-241-0/+22
| | | | | | | | When the cancel button is hit return to the provider and eventually to the original application via return urls. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Handle invalid/expired transactions gracefullySimo Sorce2014-10-242-6/+5
| | | | | | | | | Return a useful error page every time and invalid or expired transaction is requested, instead of ending up with an internal backtrace and an ugly 500 error. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Show login target on the login screenPatrick Uiterwijk2014-10-241-0/+3
| | | | | Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Drop custom FAS templateSimo Sorce2014-10-241-1/+1
| | | | | | | | The form and fas template are identical so just drop the fas.html template and use the default. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add group and CLA support to FAS login pluginSimo Sorce2014-10-241-1/+39
| | | | | | | | | | | Add support for returning groups and other information from the FAS login plugin. If the openid module is available also split out cla group information into a spearate item so the openid CLA extension can make use of it and cla groups are not regarded as real groups. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add attribute mapping for user informationSimo Sorce2014-10-243-4/+21
| | | | | | | | | | | | When user information is retrieved we map any wellknown data to a standardized set of names. A ne InfoMapping class takes cares of helping the info modules to map the data they retrieve so that providers can find it in wellknown attribute names for further use. Mapping of attribute names for diplay purposes is also provided. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix mod_auth_kerb based authenticationSimo Sorce2014-10-091-1/+5
| | | | | | | | Recent changes in how self.user is populated broke krb based auth. Explicitly check the remote user in the module to fix it. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix transaction handling in providersSimo Sorce2014-10-061-0/+1
| | | | | | | | | | | | When a provider redirects to the login code, it must retain 'ownership' of the transaction, otherwise the login code will wipe the transaction data as sson as the authentication is completed but before the provider has completed its part of the transaction. Make sure the transaction code retrieves the 'owner' from the data for pre-existing transactions. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Fix login session's userdata acquisitionSimo Sorce2014-10-061-1/+3
| | | | | | | | | With the transaction code changes th session.login() function was incorrectly moved before all the userdata was gathered. An incomplete set was stored in the session. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add very simple LDAP authentication pluginSimo Sorce2014-09-241-0/+221
| | | | | | | | Uses python-ldap to perform a simple bind after connecting to the LDAP server using (by default) a TLS encrypted connection. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Use transactions throughout the codeSimo Sorce2014-09-246-26/+57
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add abstraction class to handle cookiesSimo Sorce2014-09-241-9/+9
| | | | | | | This handles secure cokies with useful helpers and defaults. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add Info providers Admin pagesSimo Sorce2014-09-241-1/+1
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add support for returning user attributesSimo Sorce2014-09-241-0/+14
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add proper ordering to login plugins config optsSimo Sorce2014-09-243-0/+6
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Remove service name from the form pluginSimo Sorce2014-09-241-9/+1
| | | | | | | | | When using the external apache modules for form based authentication, the pam service name is set in the apache config files and cannot be dynamically changed, do not offr it as a configuration option. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Use helper cookie to remember the usernameSimo Sorce2014-09-245-5/+29
| | | | | | | | | This makes the login page a lot more friendy Available only over HTTPS Max age set to 15 days Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Create common form handler pageSimo Sorce2014-09-245-119/+50
| | | | | | | Reduce duplication Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Rename form login pageSimo Sorce2014-09-243-5/+5
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Remove unused option from the FAS login pluginSimo Sorce2014-09-241-10/+0
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add FAS login pluginSimo Sorce2014-08-271-0/+194
| | | | | | | | | | This plugin simply take a Fedora username and password and authenticates the user against the FAS Server. FAS returned data is saved as userdata in the 'fas' attribute. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Move user attribute storage into session functionsSimo Sorce2014-08-271-6/+1
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Use new Log class everywhereSimo Sorce2014-08-271-5/+2
| | | | | | | | | Replace copies of _debug function sprinkled all over the code with a single implementation Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> - Removed replace of self._debug to self.debug
* Add External form auth pluginSimo Sorce2014-08-271-0/+189
| | | | | | | This plugin uses mod_intercept_form_submit to perform authentication. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
* Add test login moduleSimo Sorce2014-06-041-0/+154
| | | | | | | This is useful to do automated testing. It accepts authentication as long as the password is 'ipsilon'. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix typoSimo Sorce2014-05-291-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix E256 with stricter pep8 error checkerSimo Sorce2014-05-201-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix E713 with stricter pep8 error checkerSimo Sorce2014-05-201-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix typo in selinux boolean nameSimo Sorce2014-05-201-1/+1
| | | | | | This was causing pam auth to fail, as the boolean was not being turned on. Signed-off-by: Simo Sorce <simo@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-23 23:17:11 +0000