ipsilon/providers/saml2/admin.py

   1 #!/usr/bin/python
   2 #
   3 # Copyright (C) 2014  Simo Sorce <simo@redhat.com>
   4 #
   5 # see file 'COPYING' for use and warranty information
   6 #
   7 # This program is free software; you can redistribute it and/or modify
   8 # it under the terms of the GNU General Public License as published by
   9 # the Free Software Foundation, either version 3 of the License, or
  10 # (at your option) any later version.
  11 #
  12 # This program is distributed in the hope that it will be useful,
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 # GNU General Public License for more details.
  16 #
  17 # You should have received a copy of the GNU General Public License
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19
  20 import cherrypy
  21 from ipsilon.util.page import Page
  22 from ipsilon.providers.saml2.provider import ServiceProvider
  23 from ipsilon.providers.saml2.provider import ServiceProviderCreator
  24 from ipsilon.providers.saml2.provider import InvalidProviderId
  25 import re
  26
  27
  28 VALID_IN_NAME = r'[^\ a-zA-Z0-9]'
  29
  30
  31 class NewSPAdminPage(Page):
  32
  33     def __init__(self, site, parent):
  34         super(NewSPAdminPage, self).__init__(site)
  35         self.parent = parent
  36         self.title = 'New Service Provider'
  37         self.backurl = parent.url
  38         self.url = '%s/new' % (parent.url,)
  39
  40     def form_new(self, message=None, message_type=None):
  41         return self._template('admin/providers/saml2_sp_new.html',
  42                               title=self.title,
  43                               message=message,
  44                               message_type=message_type,
  45                               name='saml2_sp_new_form',
  46                               backurl=self.backurl, action=self.url)
  47
  48     def GET(self, *args, **kwargs):
  49         return self.form_new()
  50
  51     def POST(self, *args, **kwargs):
  52
  53         if self.user.is_admin:
  54             #TODO: allow authenticated user to create SPs on their own
  55             #      set the owner in that case
  56             name = None
  57             meta = None
  58             if 'content-type' not in cherrypy.request.headers:
  59                 self._debug("Invalid request, missing content-type")
  60                 message = "Malformed request"
  61                 message_type = "error"
  62                 return self.form_new(message, message_type)
  63             ctype = cherrypy.request.headers['content-type'].split(';')[0]
  64             if ctype != 'multipart/form-data':
  65                 self._debug("Invalid form type (%s), trying to cope" % (
  66                             cherrypy.request.content_type,))
  67             for key, value in kwargs.iteritems():
  68                 if key == 'name':
  69                     if re.search(VALID_IN_NAME, value):
  70                         message = "Invalid name!" \
  71                                   " Use only numbers and letters"
  72                         message_type = "error"
  73                         return self.form_new(message, message_type)
  74
  75                     name = value
  76                 elif key == 'meta':
  77                     if hasattr(value, 'content_type'):
  78                         meta = value.fullvalue()
  79                     else:
  80                         self._debug("Invalid format for 'meta'")
  81
  82             if name and meta:
  83                 try:
  84                     spc = ServiceProviderCreator(self.parent.cfg)
  85                     sp = spc.create_from_buffer(name, meta)
  86                     sp_page = self.parent.add_sp(name, sp)
  87                     message = "SP Successfully added"
  88                     message_type = "success"
  89                     return sp_page.form_standard(message, message_type)
  90                 except InvalidProviderId, e:
  91                     message = str(e)
  92                     message_type = "error"
  93                 except Exception, e:  # pylint: disable=broad-except
  94                     self._debug(repr(e))
  95                     message = "Failed to create Service Provider!"
  96                     message_type = "error"
  97             else:
  98                 message = "A name and a metadata file must be provided"
  99                 message_type = "error"
 100         else:
 101             message = "Unauthorized"
 102             message_type = "error"
 103
 104         return self.form_new(message, message_type)
 105
 106     def root(self, *args, **kwargs):
 107         op = getattr(self, cherrypy.request.method, self.GET)
 108         if callable(op):
 109             return op(*args, **kwargs)
 110
 111
 112 class InvalidValueFormat(Exception):
 113     pass
 114
 115
 116 class UnauthorizedUser(Exception):
 117     pass
 118
 119
 120 class SPAdminPage(Page):
 121
 122     def __init__(self, sp, site, parent):
 123         super(SPAdminPage, self).__init__(site)
 124         self.parent = parent
 125         self.sp = sp
 126         self.title = sp.name
 127         self.backurl = parent.url
 128         self.url = '%s/sp/%s' % (parent.url, sp.name)
 129
 130     def form_standard(self, message=None, message_type=None):
 131         return self._template('admin/providers/saml2_sp.html',
 132                               message=message,
 133                               message_type=message_type,
 134                               title=self.title,
 135                               name='saml2_sp_%s_form' % self.sp.name,
 136                               backurl=self.backurl, action=self.url,
 137                               data=self.sp)
 138
 139     def GET(self, *args, **kwargs):
 140         return self.form_standard()
 141
 142     def change_name(self, key, value):
 143
 144         if value == self.sp.name:
 145             return False
 146
 147         if self.user.is_admin or self.user.name == self.sp.owner:
 148             if re.search(VALID_IN_NAME, value):
 149                 err = "Invalid name! Use only numbers and letters"
 150                 raise InvalidValueFormat(err)
 151
 152             self._debug("Replacing %s: %s -> %s" % (key, self.sp.name, value))
 153             return {'name': value, 'rename': [self.sp.name, value]}
 154         else:
 155             raise UnauthorizedUser("Unauthorized to rename Service Provider")
 156
 157     def change_owner(self, key, value):
 158         if value == self.sp.owner:
 159             return False
 160
 161         if self.user.is_admin:
 162             self._debug("Replacing %s: %s -> %s" % (key, self.sp.owner, value))
 163             return {'owner': value}
 164         else:
 165             raise UnauthorizedUser("Unauthorized to set owner value")
 166
 167     def change_default_nameid(self, key, value):
 168         if value == self.sp.default_nameid:
 169             return False
 170
 171         if self.user.is_admin:
 172             self._debug("Replacing %s: %s -> %s" % (key,
 173                                                     self.sp.default_nameid,
 174                                                     value))
 175             if not self.sp.is_valid_nameid(value):
 176                 raise InvalidValueFormat('Invalid default nameid value')
 177             return {'default_nameid': value}
 178         else:
 179             raise UnauthorizedUser("Unauthorized to set default nameid value")
 180
 181     def change_allowed_nameids(self, key, value):
 182         v = set([x.strip() for x in value.split(',')])
 183         if v == set(self.sp.allowed_nameids):
 184             return False
 185
 186         if self.user.is_admin:
 187             self._debug("Replacing %s: %s -> %s" % (key,
 188                                                     self.sp.allowed_nameids,
 189                                                     list(v)))
 190             for x in v:
 191                 if not self.sp.is_valid_nameid(x):
 192                     l = ', '.join(self.sp.valid_nameids())
 193                     err = 'Invalid nameid [%s]. Available [%s].' % (x, l)
 194                     raise InvalidValueFormat(err)
 195             return {'allowed_nameids': list(v)}
 196         else:
 197             raise UnauthorizedUser("Unauthorized to set alowed nameids values")
 198
 199     def POST(self, *args, **kwargs):
 200
 201         message = "Nothing was modified."
 202         message_type = "info"
 203         results = dict()
 204
 205         try:
 206             for key, value in kwargs.iteritems():
 207                 if key == 'name':
 208                     r = self.change_name(key, value)
 209                     if r:
 210                         results.update(r)
 211                 elif key == 'owner':
 212                     r = self.change_owner(key, value)
 213                     if r:
 214                         results.update(r)
 215
 216                 elif key == 'default_nameid':
 217                     r = self.change_default_nameid(key, value)
 218                     if r:
 219                         results.update(r)
 220
 221                 elif key == 'allowed_nameids':
 222                     r = self.change_allowed_nameids(key, value)
 223                     if r:
 224                         results.update(r)
 225
 226         except InvalidValueFormat, e:
 227             message = str(e)
 228             message_type = "warning"
 229             return self.form_standard(message, message_type)
 230         except UnauthorizedUser, e:
 231             message = str(e)
 232             message_type = "error"
 233             return self.form_standard(message, message_type)
 234         except Exception, e:  # pylint: disable=broad-except
 235             self._debug("Error: %s" % repr(e))
 236             message = "Internal Error"
 237             message_type = "error"
 238             return self.form_standard(message, message_type)
 239
 240         if len(results) > 0:
 241             try:
 242                 if 'name' in results:
 243                     self.sp.name = results['name']
 244                 if 'owner' in results:
 245                     self.sp.owner = results['owner']
 246                 if 'default_nameid' in results:
 247                     self.sp.default_nameid = results['default_nameid']
 248                 if 'allowed_nameids' in results:
 249                     self.sp.allowed_nameids = results['allowed_nameids']
 250                 self.sp.save_properties()
 251                 if 'rename' in results:
 252                     rename = results['rename']
 253                     self.parent.rename_sp(rename[0], rename[1])
 254                 message = "Properties succssfully changed"
 255                 message_type = "success"
 256             except Exception:  # pylint: disable=broad-except
 257                 message = "Failed to save data!"
 258                 message_type = "error"
 259
 260         return self.form_standard(message, message_type)
 261
 262     def root(self, *args, **kwargs):
 263         op = getattr(self, cherrypy.request.method, self.GET)
 264         if callable(op):
 265             return op(*args, **kwargs)
 266
 267     def delete(self):
 268         self.parent.del_sp(self.sp.name)
 269         self.sp.permanently_delete()
 270         return self.parent.root()
 271     delete.exposed = True
 272
 273
 274 class AdminPage(Page):
 275     def __init__(self, site, config):
 276         super(AdminPage, self).__init__(site)
 277         self.name = 'admin'
 278         self.cfg = config
 279         self.providers = []
 280         self.menu = []
 281         self.url = None
 282         self.sp = Page(self._site)
 283
 284     def add_sp(self, name, sp):
 285         page = SPAdminPage(sp, self._site, self)
 286         self.sp.add_subtree(name, page)
 287         self.providers.append(sp)
 288         return page
 289
 290     def rename_sp(self, oldname, newname):
 291         page = getattr(self.sp, oldname)
 292         self.sp.del_subtree(oldname)
 293         self.sp.add_subtree(newname, page)
 294
 295     def del_sp(self, name):
 296         try:
 297             page = getattr(self.sp, name)
 298             self.providers.remove(page.sp)
 299             self.sp.del_subtree(name)
 300         except Exception, e:  # pylint: disable=broad-except
 301             self._debug("Failed to remove provider %s: %s" % (name, str(e)))
 302
 303     def mount(self, page):
 304         self.menu = page.menu
 305         self.url = '%s/%s' % (page.url, self.name)
 306         for p in self.cfg.idp.get_providers():
 307             try:
 308                 sp = ServiceProvider(self.cfg, p)
 309                 self.add_sp(sp.name, sp)
 310             except Exception, e:  # pylint: disable=broad-except
 311                 self._debug("Failed to find provider %s: %s" % (p, str(e)))
 312         self.add_subtree('new', NewSPAdminPage(self._site, self))
 313         page.add_subtree(self.name, self)
 314
 315     def root(self, *args, **kwargs):
 316         return self._template('admin/providers/saml2.html',
 317                               title='SAML2 Administration',
 318                               providers=self.providers,
 319                               baseurl=self.url,
 320                               menu=self.menu)