ipsilon/providers/saml2/admin.py

   1 #!/usr/bin/python
   2 #
   3 # Copyright (C) 2014  Simo Sorce <simo@redhat.com>
   4 #
   5 # see file 'COPYING' for use and warranty information
   6 #
   7 # This program is free software; you can redistribute it and/or modify
   8 # it under the terms of the GNU General Public License as published by
   9 # the Free Software Foundation, either version 3 of the License, or
  10 # (at your option) any later version.
  11 #
  12 # This program is distributed in the hope that it will be useful,
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 # GNU General Public License for more details.
  16 #
  17 # You should have received a copy of the GNU General Public License
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19
  20 import cherrypy
  21 from ipsilon.util.page import Page
  22 from ipsilon.providers.saml2.provider import ServiceProvider
  23 from ipsilon.providers.saml2.provider import ServiceProviderCreator
  24 from ipsilon.providers.saml2.provider import InvalidProviderId
  25 import re
  26
  27
  28 VALID_IN_NAME = r'[^\ a-zA-Z0-9]'
  29
  30
  31 class NewSPAdminPage(Page):
  32
  33     def __init__(self, site, parent):
  34         super(NewSPAdminPage, self).__init__(site, form=True)
  35         self.parent = parent
  36         self.title = 'New Service Provider'
  37         self.backurl = parent.url
  38         self.url = '%s/new' % (parent.url,)
  39
  40     def form_new(self, message=None, message_type=None):
  41         return self._template('admin/providers/saml2_sp_new.html',
  42                               title=self.title,
  43                               message=message,
  44                               message_type=message_type,
  45                               name='saml2_sp_new_form',
  46                               backurl=self.backurl, action=self.url)
  47
  48     def GET(self, *args, **kwargs):
  49         return self.form_new()
  50
  51     def POST(self, *args, **kwargs):
  52
  53         if self.user.is_admin:
  54             #TODO: allow authenticated user to create SPs on their own
  55             #      set the owner in that case
  56             name = None
  57             meta = None
  58             if 'content-type' not in cherrypy.request.headers:
  59                 self._debug("Invalid request, missing content-type")
  60                 message = "Malformed request"
  61                 message_type = "error"
  62                 return self.form_new(message, message_type)
  63             ctype = cherrypy.request.headers['content-type'].split(';')[0]
  64             if ctype != 'multipart/form-data':
  65                 self._debug("Invalid form type (%s), trying to cope" % (
  66                             cherrypy.request.content_type,))
  67             for key, value in kwargs.iteritems():
  68                 if key == 'name':
  69                     if re.search(VALID_IN_NAME, value):
  70                         message = "Invalid name!" \
  71                                   " Use only numbers and letters"
  72                         message_type = "error"
  73                         return self.form_new(message, message_type)
  74
  75                     name = value
  76                 elif key == 'meta':
  77                     if hasattr(value, 'content_type'):
  78                         meta = value.fullvalue()
  79                     else:
  80                         self._debug("Invalid format for 'meta'")
  81
  82             if name and meta:
  83                 try:
  84                     spc = ServiceProviderCreator(self.parent.cfg)
  85                     sp = spc.create_from_buffer(name, meta)
  86                     sp_page = self.parent.add_sp(name, sp)
  87                     message = "SP Successfully added"
  88                     message_type = "success"
  89                     return sp_page.form_standard(message, message_type)
  90                 except InvalidProviderId, e:
  91                     message = str(e)
  92                     message_type = "error"
  93                 except Exception, e:  # pylint: disable=broad-except
  94                     self._debug(repr(e))
  95                     message = "Failed to create Service Provider!"
  96                     message_type = "error"
  97             else:
  98                 message = "A name and a metadata file must be provided"
  99                 message_type = "error"
 100         else:
 101             message = "Unauthorized"
 102             message_type = "error"
 103
 104         return self.form_new(message, message_type)
 105
 106
 107 class InvalidValueFormat(Exception):
 108     pass
 109
 110
 111 class UnauthorizedUser(Exception):
 112     pass
 113
 114
 115 class SPAdminPage(Page):
 116
 117     def __init__(self, sp, site, parent):
 118         super(SPAdminPage, self).__init__(site, form=True)
 119         self.parent = parent
 120         self.sp = sp
 121         self.title = sp.name
 122         self.backurl = parent.url
 123         self.url = '%s/sp/%s' % (parent.url, sp.name)
 124
 125     def form_standard(self, message=None, message_type=None):
 126         return self._template('admin/providers/saml2_sp.html',
 127                               message=message,
 128                               message_type=message_type,
 129                               title=self.title,
 130                               name='saml2_sp_%s_form' % self.sp.name,
 131                               backurl=self.backurl, action=self.url,
 132                               data=self.sp)
 133
 134     def GET(self, *args, **kwargs):
 135         return self.form_standard()
 136
 137     def change_name(self, key, value):
 138
 139         if value == self.sp.name:
 140             return False
 141
 142         if self.user.is_admin or self.user.name == self.sp.owner:
 143             if re.search(VALID_IN_NAME, value):
 144                 err = "Invalid name! Use only numbers and letters"
 145                 raise InvalidValueFormat(err)
 146
 147             self._debug("Replacing %s: %s -> %s" % (key, self.sp.name, value))
 148             return {'name': value, 'rename': [self.sp.name, value]}
 149         else:
 150             raise UnauthorizedUser("Unauthorized to rename Service Provider")
 151
 152     def change_owner(self, key, value):
 153         if value == self.sp.owner:
 154             return False
 155
 156         if self.user.is_admin:
 157             self._debug("Replacing %s: %s -> %s" % (key, self.sp.owner, value))
 158             return {'owner': value}
 159         else:
 160             raise UnauthorizedUser("Unauthorized to set owner value")
 161
 162     def change_default_nameid(self, key, value):
 163         if value == self.sp.default_nameid:
 164             return False
 165
 166         if self.user.is_admin:
 167             self._debug("Replacing %s: %s -> %s" % (key,
 168                                                     self.sp.default_nameid,
 169                                                     value))
 170             if not self.sp.is_valid_nameid(value):
 171                 raise InvalidValueFormat('Invalid default nameid value')
 172             return {'default_nameid': value}
 173         else:
 174             raise UnauthorizedUser("Unauthorized to set default nameid value")
 175
 176     def change_allowed_nameids(self, key, value):
 177         v = set([x.strip() for x in value.split(',')])
 178         if v == set(self.sp.allowed_nameids):
 179             return False
 180
 181         if self.user.is_admin:
 182             self._debug("Replacing %s: %s -> %s" % (key,
 183                                                     self.sp.allowed_nameids,
 184                                                     list(v)))
 185             for x in v:
 186                 if not self.sp.is_valid_nameid(x):
 187                     l = ', '.join(self.sp.valid_nameids())
 188                     err = 'Invalid nameid [%s]. Available [%s].' % (x, l)
 189                     raise InvalidValueFormat(err)
 190             return {'allowed_nameids': list(v)}
 191         else:
 192             raise UnauthorizedUser("Unauthorized to set alowed nameids values")
 193
 194     def POST(self, *args, **kwargs):
 195
 196         message = "Nothing was modified."
 197         message_type = "info"
 198         results = dict()
 199
 200         try:
 201             for key, value in kwargs.iteritems():
 202                 if key == 'name':
 203                     r = self.change_name(key, value)
 204                     if r:
 205                         results.update(r)
 206                 elif key == 'owner':
 207                     r = self.change_owner(key, value)
 208                     if r:
 209                         results.update(r)
 210
 211                 elif key == 'default_nameid':
 212                     r = self.change_default_nameid(key, value)
 213                     if r:
 214                         results.update(r)
 215
 216                 elif key == 'allowed_nameids':
 217                     r = self.change_allowed_nameids(key, value)
 218                     if r:
 219                         results.update(r)
 220
 221         except InvalidValueFormat, e:
 222             message = str(e)
 223             message_type = "warning"
 224             return self.form_standard(message, message_type)
 225         except UnauthorizedUser, e:
 226             message = str(e)
 227             message_type = "error"
 228             return self.form_standard(message, message_type)
 229         except Exception, e:  # pylint: disable=broad-except
 230             self._debug("Error: %s" % repr(e))
 231             message = "Internal Error"
 232             message_type = "error"
 233             return self.form_standard(message, message_type)
 234
 235         if len(results) > 0:
 236             try:
 237                 if 'name' in results:
 238                     self.sp.name = results['name']
 239                 if 'owner' in results:
 240                     self.sp.owner = results['owner']
 241                 if 'default_nameid' in results:
 242                     self.sp.default_nameid = results['default_nameid']
 243                 if 'allowed_nameids' in results:
 244                     self.sp.allowed_nameids = results['allowed_nameids']
 245                 self.sp.save_properties()
 246                 if 'rename' in results:
 247                     rename = results['rename']
 248                     self.parent.rename_sp(rename[0], rename[1])
 249                 message = "Properties succssfully changed"
 250                 message_type = "success"
 251             except Exception:  # pylint: disable=broad-except
 252                 message = "Failed to save data!"
 253                 message_type = "error"
 254
 255         return self.form_standard(message, message_type)
 256
 257     def delete(self):
 258         self.parent.del_sp(self.sp.name)
 259         self.sp.permanently_delete()
 260         return self.parent.root()
 261     delete.exposed = True
 262
 263
 264 class AdminPage(Page):
 265     def __init__(self, site, config):
 266         super(AdminPage, self).__init__(site)
 267         self.name = 'admin'
 268         self.cfg = config
 269         self.providers = []
 270         self.menu = []
 271         self.url = None
 272         self.sp = Page(self._site)
 273
 274     def add_sp(self, name, sp):
 275         page = SPAdminPage(sp, self._site, self)
 276         self.sp.add_subtree(name, page)
 277         self.providers.append(sp)
 278         return page
 279
 280     def rename_sp(self, oldname, newname):
 281         page = getattr(self.sp, oldname)
 282         self.sp.del_subtree(oldname)
 283         self.sp.add_subtree(newname, page)
 284
 285     def del_sp(self, name):
 286         try:
 287             page = getattr(self.sp, name)
 288             self.providers.remove(page.sp)
 289             self.sp.del_subtree(name)
 290         except Exception, e:  # pylint: disable=broad-except
 291             self._debug("Failed to remove provider %s: %s" % (name, str(e)))
 292
 293     def mount(self, page):
 294         self.menu = page.menu
 295         self.url = '%s/%s' % (page.url, self.name)
 296         for p in self.cfg.idp.get_providers():
 297             try:
 298                 sp = ServiceProvider(self.cfg, p)
 299                 self.add_sp(sp.name, sp)
 300             except Exception, e:  # pylint: disable=broad-except
 301                 self._debug("Failed to find provider %s: %s" % (p, str(e)))
 302         self.add_subtree('new', NewSPAdminPage(self._site, self))
 303         page.add_subtree(self.name, self)
 304
 305     def root(self, *args, **kwargs):
 306         return self._template('admin/providers/saml2.html',
 307                               title='SAML2 Administration',
 308                               providers=self.providers,
 309                               baseurl=self.url,
 310                               menu=self.menu)