Add support for IdP-initiated login This uses the Redirect SSO endpoint and two new optional arguments: SPIdentifier and RelayState. SPIdentifier is the provider ID of the SP. RelayState is where on the SP the user should be sent. If the user is already authenticted then a SAMLResponse is generated and the existing HTML page is generated and sent to the user including this response and the value of RelayState (if any). This will then POST to the SP and the user will be show the page on the SP. If the user is not authenticated then they will be given the login page after which they will be sent to the SP. The link to the SP on the IdP Portal has changed to be and IdP-initiated login. If a user bookmarks this link then they will always go to that SP and be authenticated first, if needed. https://fedorahosted.org/ipsilon/ticket/138 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: John Dennis <jdennis@redhat.com>
Be more verbose when logging errors in info LDAP plugin The infoldap plugin was logging raw exceptions but not providing any context to them. This breaks some of the calls into separate try/except to provide more precise failure reasons. Also fix a typo in the authldap plugin and handle ValueError when validating the template syntax. https://fedorahosted.org/ipsilon/ticket/39 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: John Dennis <jdennis@redhat.com>
ipsilon-server-install sometimes fails to log & emit errors ipsilon-server-install may silently and immediately fail, nothing is emitted to the console nor captured in the log file, it's just a silent complete failure. An example that reproduces the problem is a hostname without any dots in it, e.g. "localhost". The log level is set after some code executes (e.g. arg parsing). If that code raises an error the exception handler will log it at the debug level, but because the log level has not been set yet to debug (it's still at the default error level) the message is not emitted. The log level should be set as soon as logging is initialized. An error message should be emitted to the console, therefore in additon to the exception handler logging the error to the debug log along with the stack trace it should also emit just the message to the console. Ticket: 202 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Catch unsigned logout requests and raise a 400 for now A 400 is still going to blow up the logout sequence but it is better than a 500 and at least tells the user what is wrong. This is most likely to be run into during initial SP testing and not in production. https://fedorahosted.org/ipsilon/ticket/166 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Handle user session data for both internal and external authentication Ipsilon can authtenticate a user by itself via it's own login handlers (classes derived from `LoginManager`) or it can capitalize on the authentication provided by the container Ipsilon is running in (currently WSGI inside Apache). We refer to the later as "external authentication" because it occurs outside of Ipsilon. However in both cases there is a common need to execute the same code irregardless of where the authntication occurred. Establish a new mixin class LoginHelper and use it in both the LoginManagerBase class and the SAML2 SSO SOAP endpoint handler. The SOAP endpoint handler requires extenal authentication. LoginHelper.initialize_login_session() performs the common duty of establishing a login session and binding user attributes to that session. LoginHelper.get_external_auth_info() determines if external authentication has been performed and returns the name of the principal and the authentication method. Since SSO_SOAP utilizes external login it needs access to the Info providers in order to populate the user attributes in the returned SAML Assertion. The Info provider should be initialized only once and is done via the normal Ipsilon login provider initialization. SSO_SOAP obtains a reference to the Info provider bound to the login provider by accessing the provider._root.login.info member. In order to access the provider it was advantageous to explictily name the positional parameters passed to the __init__ calls instead of the previous practice of passing parameters anonymously in a *args tuple. In this manner the provider parameter is explicit instead having used a hardcoded index into the args tuple (e.g. provider = args[1]). The result is much cleaner, easier to read and more robust software. Thus the patch also modifies the __init__ argument list to explictly pass the site and provider parameters as the first and second positional parameters instead of having them be anonymously subsumed in the *args parameter. These parameters must always be passed because the ProviderPageBase __init__ requires them. Also modify the super calls used to initialize the parent class to pass the site and provider parameters. Calls to initialize ProviderPageBase only pass the site and provider parameters, they do not pass any additional anonymous parameters from the subclass. Ticket: 191 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Don't assume cache_dir is set in conf during uninstall The code was unconditionally retrieving a value from ipsilon.conf and replacing strings in it. This would fail if the config file didn't exist, there was no global section or if cache_dir wasn't there. https://fedorahosted.org/ipsilon/ticket/186 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Don't crash if no NameIdPolicy is requested This fixes two problems: 1. Logging was done before a None check was completed 2. The None check was insufficient because the whole object could be None https://fedorahosted.org/ipsilon/ticket/189 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Fix incorrect raise exception syntax This was causing a logout error to throw an exception in Ipsilon instead, masking the original error. https://fedorahosted.org/ipsilon/ticket/195 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Properly identify code location of logging message The method Log.call_location() is used to add identifying infomation about the location in the code where a logging message is emitted from. It needs to walk up the stack to bypass calls involved in logging to find where the call to logging was made. Formerly the code has a hardcoded offset into the list of stack frame objects. But any change in the logging implementation perturbs that offset. This patch fixes that problem by walking up the stack until a non-logging function is identified. Ticket: 172 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Transaction object must always have a transaction id A Transaction object must always have a transaction id (tid) because a tid is how a transaction is referenced (e.g. when being stored or retrieved). The existing code erroneously assumed a tid only needed to be created if the request contained query or form parameters. This restriction is now removed, if the transaction id cannot be found as a request parameter a tid is unconditionally created. Ticket: 177 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Modify is_lasso_ecp_enabled() to test for library symbol The function is_lasso_ecp_enabled() in saml2idp.py was testing for a specific lasso version. That has proved problematic because we've had too many "unofficial" versions floating around and sometimes the version check produces the wrong result. A better test is to test for the presence of a symbol in the lasso library we know will only be there with full ECP support. Now we test for the presence of ECP_ERROR_MISSING_AUTHN_REQUEST. Ticket: 167 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Make it possible to use PluginLoader without store In the case of OpenID extensions, a backend store is not needed for the PluginLoader, since the IDP Plugin has its own configuration for enabled extensions. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>