from ipsilon.tools.saml2metadata import SAML2_NAMEID_MAP
from ipsilon.tools.saml2metadata import SAML2_SERVICE_MAP
from ipsilon.tools.certs import Certificate
-from string import Template
+from ipsilon.tools import files
import argparse
+import ConfigParser
import logging
import os
import pwd
raise
path = None
- if args['saml_httpd']:
+ if not args['saml_no_httpd']:
path = os.path.join(SAML2_HTTPDIR, args['hostname'])
os.makedirs(path, 0750)
else:
path = os.getcwd()
- url = 'https://' + args['hostname']
+ proto = 'https'
+ if not args['saml_secure_setup']:
+ proto = 'http'
+ url = '%s://%s' % (proto, args['hostname'])
url_sp = url + args['saml_sp']
url_logout = url + args['saml_sp_logout']
url_post = url + args['saml_sp_post']
sp_metafile = os.path.join(path, 'metadata.xml')
m.output(sp_metafile)
- if args['saml_httpd']:
+ if not args['saml_no_httpd']:
idp_metafile = os.path.join(path, 'idp-metadata.xml')
with open(idp_metafile, 'w+') as f:
f.write(idpmeta)
saml_protect = 'info'
saml_auth = '<Location %s>\n' \
' MellonEnable "auth"\n' \
+ ' Header append Cache-Control "no-cache"\n' \
'</Location>\n' % args['saml_auth']
psp = '# '
# default location, enable the default page
psp = ''
- with open(SAML2_TEMPLATE) as f:
- template = f.read()
- t = Template(template)
- hunk = t.substitute(saml_base=args['saml_base'],
- saml_protect=saml_protect,
- saml_sp_key=c.key,
- saml_sp_cert=c.cert,
- saml_sp_meta=sp_metafile,
- saml_idp_meta=idp_metafile,
- saml_sp=args['saml_sp'],
- saml_auth=saml_auth, sp=psp)
-
- with open(SAML2_CONFFILE, 'w+') as f:
- f.write(hunk)
-
- pw = pwd.getpwnam(args['httpd_user'])
- for root, dirs, files in os.walk(SAML2_HTTPDIR):
- for name in dirs:
- target = os.path.join(root, name)
- os.chown(target, pw.pw_uid, pw.pw_gid)
- os.chmod(target, 0700)
- for name in files:
- target = os.path.join(root, name)
- os.chown(target, pw.pw_uid, pw.pw_gid)
- os.chmod(target, 0600)
+ saml_secure = 'Off'
+ ssl_require = '#'
+ ssl_rewrite = '#'
+ if args['saml_secure_setup']:
+ saml_secure = 'On'
+ ssl_require = ''
+ ssl_rewrite = ''
+
+ samlopts = {'saml_base': args['saml_base'],
+ 'saml_protect': saml_protect,
+ 'saml_sp_key': c.key,
+ 'saml_sp_cert': c.cert,
+ 'saml_sp_meta': sp_metafile,
+ 'saml_idp_meta': idp_metafile,
+ 'saml_sp': args['saml_sp'],
+ 'saml_secure_on': saml_secure,
+ 'saml_auth': saml_auth,
+ 'ssl_require': ssl_require,
+ 'ssl_rewrite': ssl_rewrite,
+ 'sp_hostname': args['hostname'],
+ 'sp': psp}
+ files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts)
+
+ files.fix_user_dirs(SAML2_HTTPDIR, args['httpd_user'])
logger.info('SAML Service Provider configured.')
logger.info('You should be able to restart the HTTPD server and' +
logger.error(e)
+def parse_config_profile(args):
+ config = ConfigParser.ConfigParser()
+ files = config.read(args['config_profile'])
+ if len(files) == 0:
+ raise ConfigurationError('Config Profile file %s not found!' %
+ args['config_profile'])
+
+ if 'globals' in config.sections():
+ G = config.options('globals')
+ for g in G:
+ val = config.get('globals', g)
+ if val == 'False':
+ val = False
+ elif val == 'True':
+ val = True
+ if g in globals():
+ globals()[g] = val
+ else:
+ for k in globals().keys():
+ if k.lower() == g.lower():
+ globals()[k] = val
+ break
+
+ if 'arguments' in config.sections():
+ A = config.options('arguments')
+ for a in A:
+ val = config.get('arguments', a)
+ if val == 'False':
+ val = False
+ elif val == 'True':
+ val = True
+ args[a] = val
+
+ return args
+
+
def parse_args():
global args
help="Account allowed to create a SP")
parser.add_argument('--httpd-user', default='apache',
help="Web server account used to read certs")
- parser.add_argument('--saml', action='store_true', default=False,
+ parser.add_argument('--saml', action='store_true', default=True,
help="Whether to install a saml2 SP")
parser.add_argument('--saml-idp-metadata', default=None,
help="A URL pointing at the IDP Metadata (FILE or HTTP)")
- parser.add_argument('--saml-httpd', action='store_true', default=False,
- help="Automatically configure httpd")
+ parser.add_argument('--saml-no-httpd', action='store_true', default=False,
+ help="Do not configure httpd")
parser.add_argument('--saml-base', default='/',
help="Where saml2 authdata is available")
parser.add_argument('--saml-auth', default=SAML2_PROTECTED,
help="Single Logout URL")
parser.add_argument('--saml-sp-post', default='/saml2/postResponse',
help="Post response URL")
+ parser.add_argument('--saml-secure-setup', action='store_true',
+ default=True, help="Turn on all security checks")
parser.add_argument('--debug', action='store_true', default=False,
help="Turn on script debugging")
+ parser.add_argument('--config-profile', default=None,
+ help="File containing install options")
parser.add_argument('--uninstall', action='store_true',
help="Uninstall the server and all data")
args = vars(parser.parse_args())
+ if args['config_profile']:
+ args = parse_config_profile(args)
+
if len(args['hostname'].split('.')) < 2:
raise ValueError('Hostname: %s is not a FQDN.')