ipsilon/providers/saml2/admin.py

   1 #!/usr/bin/python
   2 #
   3 # Copyright (C) 2014  Simo Sorce <simo@redhat.com>
   4 #
   5 # see file 'COPYING' for use and warranty information
   6 #
   7 # This program is free software; you can redistribute it and/or modify
   8 # it under the terms of the GNU General Public License as published by
   9 # the Free Software Foundation, either version 3 of the License, or
  10 # (at your option) any later version.
  11 #
  12 # This program is distributed in the hope that it will be useful,
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 # GNU General Public License for more details.
  16 #
  17 # You should have received a copy of the GNU General Public License
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19
  20 import cherrypy
  21 from ipsilon.util.page import Page
  22 from ipsilon.providers.saml2.provider import ServiceProvider
  23 from ipsilon.providers.saml2.provider import ServiceProviderCreator
  24 from ipsilon.providers.saml2.provider import InvalidProviderId
  25 import re
  26
  27
  28 VALID_IN_NAME = r'[^\ a-zA-Z0-9]'
  29
  30
  31 class NewSPAdminPage(Page):
  32
  33     def __init__(self, site, parent):
  34         super(NewSPAdminPage, self).__init__(site)
  35         self.parent = parent
  36         self.title = 'New Service Provider'
  37         self.backurl = parent.url
  38         self.url = '%s/new' % (parent.url,)
  39
  40     def form_new(self, message=None, message_type=None):
  41         return self._template('admin/providers/saml2_sp_new.html',
  42                               title=self.title,
  43                               message=message,
  44                               message_type=message_type,
  45                               name='saml2_sp_new_form',
  46                               backurl=self.backurl, action=self.url)
  47
  48     def GET(self, *args, **kwargs):
  49         return self.form_new()
  50
  51     def POST(self, *args, **kwargs):
  52
  53         if self.user.is_admin:
  54             #TODO: allow authenticated user to create SPs on their own
  55             #      set the owner in that case
  56             name = None
  57             meta = None
  58             if 'content-type' not in cherrypy.request.headers:
  59                 self._debug("Invalid request, missing content-type")
  60                 message = "Malformed request"
  61                 message_type = "error"
  62                 return self.form_new(message, message_type)
  63             ctype = cherrypy.request.headers['content-type'].split(';')[0]
  64             if ctype != 'multipart/form-data':
  65                 self._debug("Invalid form type (%s), trying to cope" % (
  66                             cherrypy.request.content_type,))
  67             for key, value in kwargs.iteritems():
  68                 if key == 'name':
  69                     if re.search(VALID_IN_NAME, value):
  70                         message = "Invalid name!" \
  71                                   " Use only numbers and letters"
  72                         message_type = "error"
  73                         return self.form_new(message, message_type)
  74
  75                     name = value
  76                 elif key == 'meta':
  77                     if hasattr(value, 'content_type'):
  78                         meta = value.fullvalue()
  79                     else:
  80                         self._debug("Invalid format for 'meta'")
  81
  82             if name and meta:
  83                 try:
  84                     spc = ServiceProviderCreator(self.parent.cfg)
  85                     sp = spc.create_from_buffer(name, meta)
  86                     sp_page = self.parent.add_sp(name, sp)
  87                     message = "SP Successfully added"
  88                     message_type = "success"
  89                     return sp_page.form_standard(message, message_type)
  90                 except InvalidProviderId, e:
  91                     message = str(e)
  92                     message_type = "error"
  93                 except Exception, e:  # pylint: disable=broad-except
  94                     self._debug(repr(e))
  95                     message = "Failed to create Service Provider!"
  96                     message_type = "error"
  97             else:
  98                 message = "A name and a metadata file must be provided"
  99                 message_type = "error"
 100         else:
 101             message = "Unauthorized"
 102             message_type = "error"
 103
 104         return self.form_new(message, message_type)
 105
 106     def root(self, *args, **kwargs):
 107         op = getattr(self, cherrypy.request.method, self.GET)
 108         if callable(op):
 109             return op(*args, **kwargs)
 110
 111
 112 class InvalidValueFormat(Exception):
 113     pass
 114
 115
 116 class UnauthorizedUser(Exception):
 117     pass
 118
 119
 120 class SPAdminPage(Page):
 121
 122     def __init__(self, sp, site, parent):
 123         super(SPAdminPage, self).__init__(site)
 124         self.parent = parent
 125         self.sp = sp
 126         self.title = sp.name
 127         self.backurl = parent.url
 128         self.url = '%s/sp/%s' % (parent.url, sp.name)
 129
 130     def form_standard(self, message=None, message_type=None):
 131         return self._template('admin/providers/saml2_sp.html',
 132                               message=message,
 133                               message_type=message_type,
 134                               title=self.title,
 135                               name='saml2_sp_%s_form' % self.sp.name,
 136                               backurl=self.backurl, action=self.url,
 137                               data=self.sp)
 138
 139     def GET(self, *args, **kwargs):
 140         return self.form_standard()
 141
 142     def change_name(self, key, value):
 143
 144         if value == self.sp.name:
 145             return False
 146
 147         if self.user.is_admin or self.user.name == self.sp.owner:
 148             if re.search(VALID_IN_NAME, value):
 149                 err = "Invalid name! Use only numbers and letters"
 150                 raise InvalidValueFormat(err)
 151
 152             self._debug("Replacing %s: %s -> %s" % (key, self.sp.name, value))
 153             return {'name': value, 'rename': [self.sp.name, value]}
 154         else:
 155             raise UnauthorizedUser("Unauthorized to rename Service Provider")
 156
 157     def change_owner(self, key, value):
 158         if value == self.sp.owner:
 159             return False
 160
 161         if self.user.is_admin:
 162             self._debug("Replacing %s: %s -> %s" % (key, self.sp.owner, value))
 163             return {'owner': value}
 164         else:
 165             raise UnauthorizedUser("Unauthorized to set owner value")
 166
 167     def change_default_nameid(self, key, value):
 168         if value == self.sp.default_nameid:
 169             return False
 170
 171         if self.user.is_admin:
 172             self._debug("Replacing %s: %s -> %s" % (key,
 173                                                     self.sp.default_nameid,
 174                                                     value))
 175             return {'default_nameid': value}
 176         else:
 177             raise UnauthorizedUser("Unauthorized to set default nameid value")
 178
 179     def change_allowed_nameids(self, key, value):
 180         v = set([x.strip() for x in value.split(',')])
 181         if v == set(self.sp.allowed_nameids):
 182             return False
 183
 184         if self.user.is_admin:
 185             self._debug("Replacing %s: %s -> %s" % (key,
 186                                                     self.sp.allowed_nameids,
 187                                                     list(v)))
 188             return {'allowed_nameids': list(v)}
 189         else:
 190             raise UnauthorizedUser("Unauthorized to set alowed nameids values")
 191
 192     def POST(self, *args, **kwargs):
 193
 194         message = "Nothing was modified."
 195         message_type = "info"
 196         results = dict()
 197
 198         try:
 199             for key, value in kwargs.iteritems():
 200                 if key == 'name':
 201                     r = self.change_name(key, value)
 202                     if r:
 203                         results.update(r)
 204                 elif key == 'owner':
 205                     r = self.change_owner(key, value)
 206                     if r:
 207                         results.update(r)
 208
 209                 elif key == 'default_nameid':
 210                     r = self.change_default_nameid(key, value)
 211                     if r:
 212                         results.update(r)
 213
 214                 elif key == 'allowed_nameids':
 215                     r = self.change_allowed_nameids(key, value)
 216                     if r:
 217                         results.update(r)
 218
 219         except InvalidValueFormat, e:
 220             message = str(e)
 221             message_type = "warning"
 222             return self.form_standard(message, message_type)
 223         except UnauthorizedUser, e:
 224             message = str(e)
 225             message_type = "error"
 226             return self.form_standard(message, message_type)
 227         except Exception, e:  # pylint: disable=broad-except
 228             self._debug("Error: %s" % repr(e))
 229             message = "Internal Error"
 230             message_type = "error"
 231             return self.form_standard(message, message_type)
 232
 233         if len(results) > 0:
 234             try:
 235                 if 'name' in results:
 236                     self.sp.name = results['name']
 237                 if 'owner' in results:
 238                     self.sp.owner = results['owner']
 239                 if 'default_nameid' in results:
 240                     self.sp.default_nameid = results['default_nameid']
 241                 if 'allowed_nameids' in results:
 242                     self.sp.allowed_nameids = results['allowed_nameids']
 243                 self.sp.save_properties()
 244                 if 'rename' in results:
 245                     rename = results['rename']
 246                     self.parent.rename_sp(rename[0], rename[1])
 247                 message = "Properties succssfully changed"
 248                 message_type = "success"
 249             except Exception:  # pylint: disable=broad-except
 250                 message = "Failed to save data!"
 251                 message_type = "error"
 252
 253         return self.form_standard(message, message_type)
 254
 255     def root(self, *args, **kwargs):
 256         op = getattr(self, cherrypy.request.method, self.GET)
 257         if callable(op):
 258             return op(*args, **kwargs)
 259
 260     def delete(self):
 261         self.parent.del_sp(self.sp.name)
 262         self.sp.permanently_delete()
 263         return self.parent.root()
 264     delete.exposed = True
 265
 266
 267 class AdminPage(Page):
 268     def __init__(self, site, config):
 269         super(AdminPage, self).__init__(site)
 270         self.name = 'admin'
 271         self.cfg = config
 272         self.providers = []
 273         self.menu = []
 274         self.url = None
 275         self.sp = Page(self._site)
 276
 277     def add_sp(self, name, sp):
 278         page = SPAdminPage(sp, self._site, self)
 279         self.sp.add_subtree(name, page)
 280         self.providers.append(sp)
 281         return page
 282
 283     def rename_sp(self, oldname, newname):
 284         page = getattr(self.sp, oldname)
 285         self.sp.del_subtree(oldname)
 286         self.sp.add_subtree(newname, page)
 287
 288     def del_sp(self, name):
 289         try:
 290             page = getattr(self.sp, name)
 291             self.providers.remove(page.sp)
 292             self.sp.del_subtree(name)
 293         except Exception, e:  # pylint: disable=broad-except
 294             self._debug("Failed to remove provider %s: %s" % (name, str(e)))
 295
 296     def mount(self, page):
 297         self.menu = page.menu
 298         self.url = '%s/%s' % (page.url, self.name)
 299         for p in self.cfg.idp.get_providers():
 300             try:
 301                 sp = ServiceProvider(self.cfg, p)
 302                 self.add_sp(sp.name, sp)
 303             except Exception, e:  # pylint: disable=broad-except
 304                 self._debug("Failed to find provider %s: %s" % (p, str(e)))
 305         self.add_subtree('new', NewSPAdminPage(self._site, self))
 306         page.add_subtree(self.name, self)
 307
 308     def root(self, *args, **kwargs):
 309         return self._template('admin/providers/saml2.html',
 310                               title='SAML2 Administration',
 311                               providers=self.providers,
 312                               baseurl=self.url,
 313                               menu=self.menu)