Update Copyright header point to COPYING file Point to a file containing the license rather than including it in every single source file. This will make it easier to manage the license in the future without another humongous commit. https://fedorahosted.org/ipsilon/ticket/126 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
pylint 1.4.3 version fixes Pylint 1.4.3 completely stopped recognizing the star-args condition. In order to avoid pylint error with > 1.4.3 stop caring for star-args and add cmdline option to ignore those errors completly so older pylint versions are happy too. Also fix type() vs isinstance() checks, isinstance is generally a more correct approach to check for classes. In some 'admin' files the type() -> isinstance() fix required to invert the order in which ComplexList and MappingList are checked as the latter is a subclass of ComplexList, so it needs to be checked first otherwise the check for isinstance(option, ComplexList) matches for both and the code stops functioning properly. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Drop usage of self._debug and use self.debug instead This method was deprecated but still used in a lot of places. https://fedorahosted.org/ipsilon/ticket/120 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
Set Cache-control on all generated pages, centralize in Endpoint See "Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0" section 3.2.3.2. https://fedorahosted.org/ipsilon/ticket/7 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Proper fallback from referer to REQUEST_URI If the referer is present but does not contain a transaction ID we still need to fallback to the REQUEST_URI. Fix the code to check the url and then fallback to REQUEST_URI rathe than decide upfront merely on the fact a referer is available. https://fedorahosted.org/ipsilon/ticket/74 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Find transaction ids for internal redirects On internal redirections, such as when ErrorDocument is used to redirect on failed negotiate authentication we need to look harder for the transaction id. Ticket: #74 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Change root class of Page from Log to Endpoint Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
Add expiration to Idp metadata Also regenerate it frequently, so that any change in configuration can be automatically reflected in the metadata downloaded my clients over time. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Use referer too as source of transaction IDs This allows us to use apache module that use things like ErrorDocument directives to do internal redirects and still retain the original transaction intact. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Fix file permissions and remove shebang's Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
Allow to call forms from any of the admin pages Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Handle invalid/expired transactions gracefully Return a useful error page every time and invalid or expired transaction is requested, instead of ending up with an internal backtrace and an ugly 500 error. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add auto-auth requirement to all admin pages Instead ofhaving to explicitly decorate all methods with auth_protect() use the fact all pages go through Page.__call__ to conditionally check if the user is anoynous and set a default when instantiating AdminPage so that all admin pages require authentication. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add way to set default headers When a Page is called automatically sets default headers by adding headers on the default_headers variable. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add pretty handler for 404 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Fix exposed functions The Page util is supposed to intercept and enable exposed pages on its own so that additional functions can be run in the generic __call__ Fix the code to check for the function argument correctly and use a different argument than the standard cherrypy one for admin pages so that we do actually land in the Page.__call__ all the time for those pages. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Redirect anonymous users away It makes no sense to let anonymous users interact with the admin pages so tighten up access and redirect away users that have no rights. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Use new Log class everywhere Replace copies of _debug function sprinkled all over the code with a single implementation Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> - Removed replace of self._debug to self.debug
Add External form auth plugin This plugin uses mod_intercept_form_submit to perform authentication. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rework remote_login and remove protect decorator The protect decorator was not really being used for anything, remove it. Change the way UserSession's remote_login() works. If called now it either sets a REMOTE_USER (if found) or nukes the current user data in the session. This means this function can be safely called only in a login plugin now. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>