Be more verbose when logging errors in info LDAP plugin The infoldap plugin was logging raw exceptions but not providing any context to them. This breaks some of the calls into separate try/except to provide more precise failure reasons. Also fix a typo in the authldap plugin and handle ValueError when validating the template syntax. https://fedorahosted.org/ipsilon/ticket/39 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: John Dennis <jdennis@redhat.com>
Handle user session data for both internal and external authentication Ipsilon can authtenticate a user by itself via it's own login handlers (classes derived from `LoginManager`) or it can capitalize on the authentication provided by the container Ipsilon is running in (currently WSGI inside Apache). We refer to the later as "external authentication" because it occurs outside of Ipsilon. However in both cases there is a common need to execute the same code irregardless of where the authntication occurred. Establish a new mixin class LoginHelper and use it in both the LoginManagerBase class and the SAML2 SSO SOAP endpoint handler. The SOAP endpoint handler requires extenal authentication. LoginHelper.initialize_login_session() performs the common duty of establishing a login session and binding user attributes to that session. LoginHelper.get_external_auth_info() determines if external authentication has been performed and returns the name of the principal and the authentication method. Since SSO_SOAP utilizes external login it needs access to the Info providers in order to populate the user attributes in the returned SAML Assertion. The Info provider should be initialized only once and is done via the normal Ipsilon login provider initialization. SSO_SOAP obtains a reference to the Info provider bound to the login provider by accessing the provider._root.login.info member. In order to access the provider it was advantageous to explictily name the positional parameters passed to the __init__ calls instead of the previous practice of passing parameters anonymously in a *args tuple. In this manner the provider parameter is explicit instead having used a hardcoded index into the args tuple (e.g. provider = args[1]). The result is much cleaner, easier to read and more robust software. Thus the patch also modifies the __init__ argument list to explictly pass the site and provider parameters as the first and second positional parameters instead of having them be anonymously subsumed in the *args parameter. These parameters must always be passed because the ProviderPageBase __init__ requires them. Also modify the super calls used to initialize the parent class to pass the site and provider parameters. Calls to initialize ProviderPageBase only pass the site and provider parameters, they do not pass any additional anonymous parameters from the subclass. Ticket: 191 Signed-off-by: John Dennis <jdennis@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Validate options of the LDAP auth plugin on installation Few of the LDAP options had any validation at all so it was easy to provide a bad DN template, basedn and server URL. These types of errors are now sufficient to kill the installer rather than letting it limp along and hope the user notices the failures in the output. https://fedorahosted.org/ipsilon/ticket/40 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Report to user if an LDAP error occurs Catch LDAP errors and display them properly rather than just dumping the exception. Rename variable authed to authok. Add test for case where LDAP server is not started to confirm the user receives the error alert. https://fedorahosted.org/ipsilon/ticket/55 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Mark the service as readonly in the UI in authpam plugin Update the Option class to take a readonly keyword argument, defaulting to False. Extend its subclasses to pass this value along. The page template will add the disabled keyword to input and textarea if a config option is marked as readonly. https://fedorahosted.org/ipsilon/ticket/6 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Use full path when constructing "Other authentication methods" It was previously providing just a relative path and if the paths overlapped I guess the browser was trying to smash them together. This would result in a double "gssapi" in the gssapi URL like: https://my.ipsilon.org/idp/login/gssapi/gssapi/negotiate?ips... Don't rely on the browser to get the path right, use self.basepath. https://fedorahosted.org/ipsilon/ticket/153 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
Return PAM errors from mod_intercept_form_submit This fixes several problems: 1. The PAM error was being retrieved from the wrong location 2. The error was not always logged properly 3. The error was not propogated up 4. Even if the error had been propgated up the auth_failed routine failed to pass it to the error page template. A dictionary is used to translate the PAM errors into something more consulable. This can be used eventually to translate into other languages. https://fedorahosted.org/ipsilon/ticket/69 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Implement change registration This will make it possible for plugins to register what they have changed during installation, so that they can revert any changes they made during the uninstallation. https://fedorahosted.org/ipsilon/ticket/67 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Update Copyright header point to COPYING file Point to a file containing the license rather than including it in every single source file. This will make it easier to manage the license in the future without another humongous commit. https://fedorahosted.org/ipsilon/ticket/126 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Remove extraneous logging arg in authform login plugin If you didn't provide credentials at all at the form by pressing ENTER then a 500 error would be thrown rather than an authentication error. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
pylint 1.4.3 version fixes Pylint 1.4.3 completely stopped recognizing the star-args condition. In order to avoid pylint error with > 1.4.3 stop caring for star-args and add cmdline option to ignore those errors completly so older pylint versions are happy too. Also fix type() vs isinstance() checks, isinstance is generally a more correct approach to check for classes. In some 'admin' files the type() -> isinstance() fix required to invert the order in which ComplexList and MappingList are checked as the latter is a subclass of ComplexList, so it needs to be checked first otherwise the check for isinstance(option, ComplexList) matches for both and the code stops functioning properly. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Use python logging in install / log cherrypy at right severity This replaces the print statements in the installer code with a python logger so we can log all output to the installer log and a subset of it to stdout in one step without duplication. The cherrypy.log.error() logs to the "error" log at a severity of logging.INFO by default. Set an appropriate log level for these as well. https://fedorahosted.org/ipsilon/ticket/35 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
Add OpenID test suite This tests core OpenID and the Attribute Exchange, Simple Registration and Teams extensions. Using a small wsgi tool because mod_auth_openid does not support all extensions. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Make availble a list of alternative aut methods In the form case there is no way to automatically fallback to other auth methods or even repeat transparent methods. Add a simple list of alternative auth methods under the description box so that the user can easily switch back and forth between them if desired. Fixes: https://fedorahosted.org/ipsilon/ticket/96 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Populate krb_principal_name from GSS_NAME env var mod_auth_gssapi provides by default the local name in REMOTE_USER and the full principal in GSS_NAME. Grab a copy of that principal for krb_principal_name. https://fedorahosted.org/ipsilon/ticket/115 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
Use mod_auth_gssapi instead of mod_auth_kerb Change configuration on new installs only. Enable GssapiLocalName so we have access to the local name in REMOTE_USER and the full principle in GSS_NAME. Enable GssapiSSLonly even though SSLRequireSSL is also set. The belt and suspenders principla. https://fedorahosted.org/ipsilon/ticket/89 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>