| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
This makes the look-and-feel the same between the SAML2 configuration
and the per-SP configuration.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
There were places where a broad exception was caught when saving
administrative changes but the actual exception wasn't logged. The
user was presented only with a 'Failed to save data!' message.
https://fedorahosted.org/ipsilon/ticket/39
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were previously only validating the SP name in the admin pages
for SP creation and update. The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.
This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code. This
ensures that validation will occur regardless of the interface
that is used. In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.
https://fedorahosted.org/ipsilon/ticket/102
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Perform Single Logout for the current user when a logout is initiated
in the IdP.
A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.
https://fedorahosted.org/ipsilon/ticket/87
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the user is not logged in and submits a valid logout request
then just redirect the user to the RelayState in the request
indicating that the logout was successful. This provides a better
user experience.
https://fedorahosted.org/ipsilon/ticket/88
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Return the name the user authenticated with.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This also makes persistent the default NameID format when generating
metadata.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
| |
NameQualifier and SPNameQualifier are optional and are not included.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a new login session is received and an existing session
exists in logout, save the old session IDs.
These will be included in the sessions to logout of the SP.
This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.
https://fedorahosted.org/ipsilon/ticket/64
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.
https://fedorahosted.org/ipsilon/ticket/61
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Also removes internal attributes (any attribute that starts with _
Fixes: https://fedorahosted.org/ipsilon/ticket/71
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mount point is /idp/rest/providers/saml2/SPS.
GET .../SPS will retrieve all Service Providers
GET .../SPS/foo will retrieve the Service Provider named foo
POST .../SPS/foo will create the Service Provider named foo
https://fedorahosted.org/ipsilon/ticket/26
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The main userdata dict contains common attributes, but we add
a sepcial groups list and unmapped extras, as well as indicators
like auth_type.
All these additional attributes are now prefixed by a _ character
so that conflicts with legitimate attributes are improbable.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/24
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/ipsilon/ticket/24
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This way if CSS/Code changes we have just one place to fix.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When user information is retrieved we map any wellknown data to a
standardized set of names.
A ne InfoMapping class takes cares of helping the info modules to
map the data they retrieve so that providers can find it in wellknown
attribute names for further use.
Mapping of attribute names for diplay purposes is also provided.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
| |
These are generically useful and can be rused as they are by other
providers.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This is to allow different default headers between Admin pages and
other pages.
In particular we set no-caching headers to all admin pages to force
browsers to refresh as often as possible.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Page util is supposed to intercept and enable exposed pages on
its own so that additional functions can be run in the generic __call__
Fix the code to check for the function argument correctly and use a
different argument than the standard cherrypy one for admin pages so
that we do actually land in the Page.__call__ all the time for those
pages.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
This fixes enabling a provider after the sever is started.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
| |
also adds quickrun.py script to make it easy.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Replace copies of _debug function sprinkled all over the code
with a single implementation
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
- Removed replace of self._debug to self.debug
|
|
|
|
|
|
|
| |
This way a user can avoid copying the metadata file arund but paste
the content straight from a terminal window.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
Properly replace page self.url
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This way all forms will get Referer checking automaticaly
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Report what invalid name was used and fix exception on raising the exception on
line 129
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
Use helper functions to make the code more readbale and exceptions to reduce
error hndling duplication.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
We use the name to construct the admin page path, avoid odd characters
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This will allow to easly share the module with install tools, without the
need to install server side modules in clients
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
| |
This way the user will get a slightly more meaningful error message.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
This way a provider class can be used in admin pages as well and remain
consistent.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds:
- helper functions to create new providers
- separate IdentityProvider class to represent the IDP.
Database changes:
The saml2 plugin database now contain the metadata file contents and does not
rely anymore on on-disk data.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This class generates metadata files for IDP and SP services and is meant
to be used at install/configure time.
It uses the certs module to generate certificates.
With tests!
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
For now just generates self-signed certificates.
In future this calss should connect to a CA, or other service like
certmnger's getcert to retrieve a certificate from a CA.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
|