In configure we do not need to set_config()

[cascardo/ipsilon.git] / ipsilon / providers / saml2idp.py

diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py
index 0ac2a72..cb2c4a2 100755 (executable)
--- a/ipsilon/providers/saml2idp.py
+++ b/ipsilon/providers/saml2idp.py
@@ -20,7 +20,7 @@
 from ipsilon.providers.common import ProviderBase, ProviderPageBase
 from ipsilon.providers.common import FACILITY
 from ipsilon.providers.saml2.auth import AuthenticateRequest
-from ipsilon.providers.saml2.admin import AdminPage
+from ipsilon.providers.saml2.admin import Saml2AdminPage
 from ipsilon.providers.saml2.provider import IdentityProvider
 from ipsilon.tools.certs import Certificate
 from ipsilon.tools import saml2metadata as metadata
@@ -60,8 +60,8 @@ class Continue(AuthenticateRequest):
 
         session = UserSession()
         user = session.get_user()
-        session.nuke_data('login', 'Return')
-        self.stage = session.get_data('saml2', 'stage')
+        transdata = self.trans.retrieve()
+        self.stage = transdata['saml2_stage']
 
         if user.is_anonymous:
             self._debug("User is marked anonymous?!")
@@ -70,11 +70,11 @@ class Continue(AuthenticateRequest):
 
         self._debug('Continue auth for %s' % user.name)
 
-        dump = session.get_data('saml2', 'Request')
-        if not dump:
+        if 'saml2_request' not in transdata:
             self._debug("Couldn't find Request dump?!")
             # TODO: Return to SP with auth failed error
             raise cherrypy.HTTPError(400)
+        dump = transdata['saml2_request']
 
         try:
             login = self.cfg.idp.get_login_handler(dump)
@@ -113,27 +113,6 @@ class SAML2(ProviderPageBase):
     def __init__(self, *args, **kwargs):
         super(SAML2, self).__init__(*args, **kwargs)
         self.metadata = Metadata(*args, **kwargs)
-
-        # Init IDP data
-        try:
-            self.cfg.idp = IdentityProvider(self.cfg)
-        except Exception, e:  # pylint: disable=broad-except
-            self._debug('Failed to init SAML2 provider: %r' % e)
-            return
-
-        # Import all known applications
-        data = self.cfg.get_data()
-        for idval in data:
-            sp = data[idval]
-            if 'type' not in sp or sp['type'] != 'SP':
-                continue
-            if 'name' not in sp or 'metadata' not in sp:
-                continue
-            try:
-                self.cfg.idp.add_provider(sp)
-            except Exception, e:  # pylint: disable=broad-except
-                self._debug('Failed to add SP %s: %r' % (sp['name'], e))
-
         self.SSO = SSO(*args, **kwargs)
 
 
@@ -141,6 +120,7 @@ class IdpProvider(ProviderBase):
 
     def __init__(self):
         super(IdpProvider, self).__init__('saml2', 'saml2')
+        self.admin = None
         self.page = None
         self.idp = None
         self.description = """
@@ -232,10 +212,41 @@ Provides SAML 2.0 authentication infrastructure. """
         return self.get_config_value('default email domain')
 
     def get_tree(self, site):
+        self.idp = self.init_idp()
         self.page = SAML2(site, self)
-        self.admin = AdminPage(site, self)
+        self.admin = Saml2AdminPage(site, self)
         return self.page
 
+    def init_idp(self):
+        idp = None
+        # Init IDP data
+        try:
+            idp = IdentityProvider(self)
+        except Exception, e:  # pylint: disable=broad-except
+            self._debug('Failed to init SAML2 provider: %r' % e)
+            return None
+
+        # Import all known applications
+        data = self.get_data()
+        for idval in data:
+            sp = data[idval]
+            if 'type' not in sp or sp['type'] != 'SP':
+                continue
+            if 'name' not in sp or 'metadata' not in sp:
+                continue
+            try:
+                idp.add_provider(sp)
+            except Exception, e:  # pylint: disable=broad-except
+                self._debug('Failed to add SP %s: %r' % (sp['name'], e))
+
+        return idp
+
+    def on_enable(self):
+        self.init_idp()
+        if hasattr(self, 'admin'):
+            if self.admin:
+                self.admin.add_sps()
+
 
 class Installer(object):
 
@@ -246,16 +257,13 @@ class Installer(object):
     def install_args(self, group):
         group.add_argument('--saml2', choices=['yes', 'no'], default='yes',
                            help='Configure SAML2 Provider')
-        group.add_argument('--saml2-storage',
-                           default='/var/lib/ipsilon/saml2',
-                           help='SAML2 Provider storage area')
 
     def configure(self, opts):
         if opts['saml2'] != 'yes':
             return
 
         # Check storage path is present or create it
-        path = opts['saml2_storage']
+        path = os.path.join(opts['data_dir'], 'saml2')
         if not os.path.exists(path):
             os.makedirs(path, 0700)
 
@@ -264,14 +272,17 @@ class Installer(object):
         cert.generate('idp', opts['hostname'])
 
         # Generate Idp Metadata
-        url = 'https://' + opts['hostname'] + '/idp/saml2'
+        proto = 'https'
+        if opts['secure'].lower() == 'no':
+            proto = 'http'
+        url = '%s://%s/%s/saml2' % (proto, opts['hostname'], opts['instance'])
         meta = metadata.Metadata(metadata.IDP_ROLE)
         meta.set_entity_id(url + '/metadata')
         meta.add_certs(cert, cert)
         meta.add_service(metadata.SAML2_SERVICE_MAP['sso-post'],
-                         url + 'SSO/POST')
+                         url + '/SSO/POST')
         meta.add_service(metadata.SAML2_SERVICE_MAP['sso-redirect'],
-                         url + 'SSO/Redirect')
+                         url + '/SSO/Redirect')
 
         meta.add_allowed_name_format(
             lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
@@ -294,9 +305,9 @@ class Installer(object):
         config = {'idp storage path': path,
                   'idp metadata file': 'metadata.xml',
                   'idp certificate file': cert.cert,
-                  'idp key file': cert.key}
-        po.set_config(config)
-        po.save_plugin_config(FACILITY)
+                  'idp key file': cert.key,
+                  'enabled': '1'}
+        po.save_plugin_config(FACILITY, config)
 
         # Fixup permissions so only the ipsilon user can read these files
         files.fix_user_dirs(path, opts['system_user'])