-#!/usr/bin/python
-#
-# Copyright (C) 2014 Simo Sorce <simo@redhat.com>
-#
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
import cherrypy
+from ipsilon.util import config as pconfig
from ipsilon.admin.common import AdminPage
+from ipsilon.admin.common import ADMIN_STATUS_OK
+from ipsilon.admin.common import ADMIN_STATUS_ERROR
+from ipsilon.admin.common import ADMIN_STATUS_WARN
+from ipsilon.admin.common import get_mapping_list_value
+from ipsilon.admin.common import get_complex_list_value
from ipsilon.providers.saml2.provider import ServiceProvider
from ipsilon.providers.saml2.provider import ServiceProviderCreator
from ipsilon.providers.saml2.provider import InvalidProviderId
-import re
+from copy import deepcopy
import requests
-
-
-VALID_IN_NAME = r'[^\ a-zA-Z0-9]'
+import logging
class NewSPAdminPage(AdminPage):
super(NewSPAdminPage, self).__init__(site, form=True)
self.parent = parent
self.title = 'New Service Provider'
- self.backurl = parent.url
+ self.back = parent.url
self.url = '%s/new' % (parent.url,)
def form_new(self, message=None, message_type=None):
message=message,
message_type=message_type,
name='saml2_sp_new_form',
- backurl=self.backurl, action=self.url)
+ back=self.back, action=self.url)
def GET(self, *args, **kwargs):
return self.form_new()
name = None
meta = None
if 'content-type' not in cherrypy.request.headers:
- self._debug("Invalid request, missing content-type")
+ self.debug("Invalid request, missing content-type")
message = "Malformed request"
- message_type = "error"
+ message_type = ADMIN_STATUS_ERROR
return self.form_new(message, message_type)
ctype = cherrypy.request.headers['content-type'].split(';')[0]
if ctype != 'multipart/form-data':
- self._debug("Invalid form type (%s), trying to cope" % (
- cherrypy.request.content_type,))
+ self.debug("Invalid form type (%s), trying to cope" % (
+ cherrypy.request.content_type,))
for key, value in kwargs.iteritems():
if key == 'name':
- if re.search(VALID_IN_NAME, value):
- message = "Invalid name!" \
- " Use only numbers and letters"
- message_type = "error"
- return self.form_new(message, message_type)
-
name = value
elif key == 'metatext':
if len(value) > 0:
if hasattr(value, 'content_type'):
meta = value.fullvalue()
else:
- self._debug("Invalid format for 'meta'")
+ self.debug("Invalid format for 'meta'")
elif key == 'metaurl':
if len(value) > 0:
try:
r.raise_for_status()
meta = r.content
except Exception, e: # pylint: disable=broad-except
- self._debug("Failed to fetch metadata: " + repr(e))
+ self.debug("Failed to fetch metadata: " + repr(e))
message = "Failed to fetch metadata: " + repr(e)
- message_type = "error"
+ message_type = ADMIN_STATUS_ERROR
return self.form_new(message, message_type)
if name and meta:
sp = spc.create_from_buffer(name, meta)
sp_page = self.parent.add_sp(name, sp)
message = "SP Successfully added"
- message_type = "success"
- return sp_page.form_standard(message, message_type)
+ message_type = ADMIN_STATUS_OK
+ return sp_page.root_with_msg(message, message_type)
except InvalidProviderId, e:
message = str(e)
- message_type = "error"
+ message_type = ADMIN_STATUS_ERROR
except Exception, e: # pylint: disable=broad-except
- self._debug(repr(e))
+ self.debug(repr(e))
message = "Failed to create Service Provider!"
- message_type = "error"
+ message_type = ADMIN_STATUS_ERROR
else:
message = "A name and a metadata file must be provided"
- message_type = "error"
+ message_type = ADMIN_STATUS_ERROR
else:
message = "Unauthorized"
- message_type = "error"
+ message_type = ADMIN_STATUS_ERROR
return self.form_new(message, message_type)
self.parent = parent
self.sp = sp
self.title = sp.name
- self.backurl = parent.url
self.url = '%s/sp/%s' % (parent.url, sp.name)
+ self.menu = [parent]
+ self.back = parent.url
- def form_standard(self, message=None, message_type=None, newurl=None):
- return self._template('admin/providers/saml2_sp.html',
- message=message,
- message_type=message_type,
- title=self.title,
- name='saml2_sp_%s_form' % self.sp.name,
- backurl=self.backurl, action=self.url,
- data=self.sp, newurl=newurl)
+ def root_with_msg(self, message=None, message_type=None):
+ return self._template('admin/option_config.html', title=self.title,
+ menu=self.menu, action=self.url, back=self.back,
+ message=message, message_type=message_type,
+ name='saml2_sp_%s_form' % (self.sp.name),
+ config=self.sp.get_config_obj())
def GET(self, *args, **kwargs):
- return self.form_standard()
-
- def change_name(self, key, value):
-
- if value == self.sp.name:
- return False
-
- if self.user.is_admin or self.user.name == self.sp.owner:
- if re.search(VALID_IN_NAME, value):
- err = "Invalid name! Use only numbers and letters"
- raise InvalidValueFormat(err)
-
- self._debug("Replacing %s: %s -> %s" % (key, self.sp.name, value))
- return {'name': value, 'rename': [self.sp.name, value]}
- else:
- raise UnauthorizedUser("Unauthorized to rename Service Provider")
-
- def change_owner(self, key, value):
- if value == self.sp.owner:
- return False
-
- if self.user.is_admin:
- self._debug("Replacing %s: %s -> %s" % (key, self.sp.owner, value))
- return {'owner': value}
- else:
- raise UnauthorizedUser("Unauthorized to set owner value")
-
- def change_default_nameid(self, key, value):
- if value == self.sp.default_nameid:
- return False
-
- if self.user.is_admin:
- self._debug("Replacing %s: %s -> %s" % (key,
- self.sp.default_nameid,
- value))
- if not self.sp.is_valid_nameid(value):
- raise InvalidValueFormat('Invalid default nameid value')
- return {'default_nameid': value}
- else:
- raise UnauthorizedUser("Unauthorized to set default nameid value")
-
- def change_allowed_nameids(self, key, value):
- v = set([x.strip() for x in value.split(',')])
- if v == set(self.sp.allowed_nameids):
- return False
-
- if self.user.is_admin:
- self._debug("Replacing %s: %s -> %s" % (key,
- self.sp.allowed_nameids,
- list(v)))
- for x in v:
- if not self.sp.is_valid_nameid(x):
- l = ', '.join(self.sp.valid_nameids())
- err = 'Invalid nameid [%s]. Available [%s].' % (x, l)
- raise InvalidValueFormat(err)
- return {'allowed_nameids': list(v)}
- else:
- raise UnauthorizedUser("Unauthorized to set alowed nameids values")
+ return self.root_with_msg()
def POST(self, *args, **kwargs):
message = "Nothing was modified."
message_type = "info"
- results = dict()
-
- try:
- for key, value in kwargs.iteritems():
- if key == 'name':
- r = self.change_name(key, value)
- if r:
- results.update(r)
- elif key == 'owner':
- r = self.change_owner(key, value)
- if r:
- results.update(r)
-
- elif key == 'default_nameid':
- r = self.change_default_nameid(key, value)
- if r:
- results.update(r)
-
- elif key == 'allowed_nameids':
- r = self.change_allowed_nameids(key, value)
- if r:
- results.update(r)
-
- except InvalidValueFormat, e:
- message = str(e)
- message_type = "warning"
- return self.form_standard(message, message_type)
- except UnauthorizedUser, e:
- message = str(e)
- message_type = "error"
- return self.form_standard(message, message_type)
- except Exception, e: # pylint: disable=broad-except
- self._debug("Error: %s" % repr(e))
- message = "Internal Error"
- message_type = "error"
- return self.form_standard(message, message_type)
+ new_db_values = dict()
+
+ conf = self.sp.get_config_obj()
+
+ for name, option in conf.iteritems():
+ if name in kwargs:
+ value = kwargs[name]
+ if isinstance(option, pconfig.List):
+ value = [x.strip() for x in value.split('\n')]
+ # for normal lists we want unordered comparison
+ if set(value) == set(option.get_value()):
+ continue
+ elif isinstance(option, pconfig.Condition):
+ value = True
+ else:
+ if isinstance(option, pconfig.Condition):
+ value = False
+ elif isinstance(option, pconfig.Choice):
+ value = list()
+ for a in option.get_allowed():
+ aname = '%s_%s' % (name, a)
+ if aname in kwargs:
+ value.append(a)
+ elif isinstance(option, pconfig.MappingList):
+ current = deepcopy(option.get_value())
+ value = get_mapping_list_value(name,
+ current,
+ **kwargs)
+ # if current value is None do nothing
+ if value is None:
+ if option.get_value() is None:
+ continue
+ # else pass and let it continue as None
+ elif isinstance(option, pconfig.ComplexList):
+ current = deepcopy(option.get_value())
+ value = get_complex_list_value(name,
+ current,
+ **kwargs)
+ # if current value is None do nothing
+ if value is None:
+ if option.get_value() is None:
+ continue
+ # else pass and let it continue as None
+ else:
+ continue
+
+ if value != option.get_value():
+ cherrypy.log.error("Storing %s = %s" %
+ (name, value), severity=logging.DEBUG)
+ new_db_values[name] = value
+
+ if len(new_db_values) != 0:
+ try:
+ # Validate user can make these changes
+ for (key, value) in new_db_values.iteritems():
+ if key == 'Name':
+ if (not self.user.is_admin and
+ self.user.name != self.sp.owner):
+ raise UnauthorizedUser("Unauthorized to set owner")
+ elif key in ['User Owner', 'Default NameID',
+ 'Allowed NameIDs', 'Attribute Mapping',
+ 'Allowed Attributes']:
+ if not self.user.is_admin:
+ raise UnauthorizedUser(
+ "Unauthorized to set %s" % key
+ )
+
+ # Make changes in current config
+ for name, option in conf.iteritems():
+ value = new_db_values.get(name, False)
+ # A value of None means remove from the data store
+ if value is False or value == []:
+ continue
+ if name == 'Name':
+ if not self.sp.is_valid_name(value):
+ raise InvalidValueFormat(
+ 'Invalid name! Use only numbers and'
+ ' letters'
+ )
+ self.sp.name = value
+ self.url = '%s/sp/%s' % (self.parent.url, value)
+ self.parent.rename_sp(option.get_value(), value)
+ elif name == 'User Owner':
+ self.sp.owner = value
+ elif name == 'Default NameID':
+ self.sp.default_nameid = value
+ elif name == 'Allowed NameIDs':
+ self.sp.allowed_nameids = value
+ elif name == 'Attribute Mapping':
+ self.sp.attribute_mappings = value
+ elif name == 'Allowed Attributes':
+ self.sp.allowed_attributes = value
+ except InvalidValueFormat, e:
+ message = str(e)
+ message_type = ADMIN_STATUS_WARN
+ return self.root_with_msg(message, message_type)
+ except UnauthorizedUser, e:
+ message = str(e)
+ message_type = ADMIN_STATUS_ERROR
+ return self.root_with_msg(message, message_type)
+ except Exception as e: # pylint: disable=broad-except
+ self.debug("Error: %s" % repr(e))
+ message = "Internal Error"
+ message_type = ADMIN_STATUS_ERROR
+ return self.root_with_msg(message, message_type)
- if len(results) > 0:
try:
- if 'name' in results:
- self.sp.name = results['name']
- if 'owner' in results:
- self.sp.owner = results['owner']
- if 'default_nameid' in results:
- self.sp.default_nameid = results['default_nameid']
- if 'allowed_nameids' in results:
- self.sp.allowed_nameids = results['allowed_nameids']
self.sp.save_properties()
- if 'rename' in results:
- rename = results['rename']
- self.url = '%s/sp/%s' % (self.parent.url, rename[1])
- self.parent.rename_sp(rename[0], rename[1])
message = "Properties successfully changed"
- message_type = "success"
- except Exception: # pylint: disable=broad-except
+ message_type = ADMIN_STATUS_OK
+ except Exception as e: # pylint: disable=broad-except
+ self.error('Failed to save data: %s' % e)
message = "Failed to save data!"
- message_type = "error"
+ message_type = ADMIN_STATUS_ERROR
+ else:
+ self.sp.refresh_config()
- return self.form_standard(message, message_type, self.url)
+ return self.root_with_msg(message=message,
+ message_type=message_type)
def delete(self):
self.parent.del_sp(self.sp.name)
self.providers.remove(page.sp)
self.sp.del_subtree(name)
except Exception, e: # pylint: disable=broad-except
- self._debug("Failed to remove provider %s: %s" % (name, str(e)))
+ self.debug("Failed to remove provider %s: %s" % (name, str(e)))
def add_sps(self):
if self.cfg.idp:
self.del_sp(sp.name)
self.add_sp(sp.name, sp)
except Exception, e: # pylint: disable=broad-except
- self._debug("Failed to find provider %s: %s" % (p, str(e)))
+ self.debug("Failed to find provider %s: %s" % (p, str(e)))
def mount(self, page):
self.menu = page.menu