X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Fproviders%2Fsaml2%2Fadmin.py;h=a9fb9e0118c5fe0ff659d4e36b62a18547e22538;hp=1e1ddb77d77b88438478dbd4fe63f1b9d9517e13;hb=c4aa2a8fc207d464aa23e065b5f2ad0549a58f5e;hpb=15ef3579e537523ea97714bf80c63f2f8f30d4bd diff --git a/ipsilon/providers/saml2/admin.py b/ipsilon/providers/saml2/admin.py index 1e1ddb7..a9fb9e0 100755 --- a/ipsilon/providers/saml2/admin.py +++ b/ipsilon/providers/saml2/admin.py @@ -17,8 +17,248 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import cherrypy from ipsilon.util.page import Page from ipsilon.providers.saml2.provider import ServiceProvider +from ipsilon.providers.saml2.provider import ServiceProviderCreator +from ipsilon.providers.saml2.provider import InvalidProviderId +import re + + +VALID_IN_NAME = r'[^\ a-zA-Z0-9]' + + +class NewSPAdminPage(Page): + + def __init__(self, site, parent): + super(NewSPAdminPage, self).__init__(site, form=True) + self.parent = parent + self.title = 'New Service Provider' + self.backurl = parent.url + self.url = '%s/new' % (parent.url,) + + def form_new(self, message=None, message_type=None): + return self._template('admin/providers/saml2_sp_new.html', + title=self.title, + message=message, + message_type=message_type, + name='saml2_sp_new_form', + backurl=self.backurl, action=self.url) + + def GET(self, *args, **kwargs): + return self.form_new() + + def POST(self, *args, **kwargs): + + if self.user.is_admin: + # TODO: allow authenticated user to create SPs on their own + # set the owner in that case + name = None + meta = None + if 'content-type' not in cherrypy.request.headers: + self._debug("Invalid request, missing content-type") + message = "Malformed request" + message_type = "error" + return self.form_new(message, message_type) + ctype = cherrypy.request.headers['content-type'].split(';')[0] + if ctype != 'multipart/form-data': + self._debug("Invalid form type (%s), trying to cope" % ( + cherrypy.request.content_type,)) + for key, value in kwargs.iteritems(): + if key == 'name': + if re.search(VALID_IN_NAME, value): + message = "Invalid name!" \ + " Use only numbers and letters" + message_type = "error" + return self.form_new(message, message_type) + + name = value + elif key == 'meta': + if hasattr(value, 'content_type'): + meta = value.fullvalue() + else: + self._debug("Invalid format for 'meta'") + + if name and meta: + try: + spc = ServiceProviderCreator(self.parent.cfg) + sp = spc.create_from_buffer(name, meta) + sp_page = self.parent.add_sp(name, sp) + message = "SP Successfully added" + message_type = "success" + return sp_page.form_standard(message, message_type) + except InvalidProviderId, e: + message = str(e) + message_type = "error" + except Exception, e: # pylint: disable=broad-except + self._debug(repr(e)) + message = "Failed to create Service Provider!" + message_type = "error" + else: + message = "A name and a metadata file must be provided" + message_type = "error" + else: + message = "Unauthorized" + message_type = "error" + + return self.form_new(message, message_type) + + +class InvalidValueFormat(Exception): + pass + + +class UnauthorizedUser(Exception): + pass + + +class SPAdminPage(Page): + + def __init__(self, sp, site, parent): + super(SPAdminPage, self).__init__(site, form=True) + self.parent = parent + self.sp = sp + self.title = sp.name + self.backurl = parent.url + self.url = '%s/sp/%s' % (parent.url, sp.name) + + def form_standard(self, message=None, message_type=None): + return self._template('admin/providers/saml2_sp.html', + message=message, + message_type=message_type, + title=self.title, + name='saml2_sp_%s_form' % self.sp.name, + backurl=self.backurl, action=self.url, + data=self.sp) + + def GET(self, *args, **kwargs): + return self.form_standard() + + def change_name(self, key, value): + + if value == self.sp.name: + return False + + if self.user.is_admin or self.user.name == self.sp.owner: + if re.search(VALID_IN_NAME, value): + err = "Invalid name! Use only numbers and letters" + raise InvalidValueFormat(err) + + self._debug("Replacing %s: %s -> %s" % (key, self.sp.name, value)) + return {'name': value, 'rename': [self.sp.name, value]} + else: + raise UnauthorizedUser("Unauthorized to rename Service Provider") + + def change_owner(self, key, value): + if value == self.sp.owner: + return False + + if self.user.is_admin: + self._debug("Replacing %s: %s -> %s" % (key, self.sp.owner, value)) + return {'owner': value} + else: + raise UnauthorizedUser("Unauthorized to set owner value") + + def change_default_nameid(self, key, value): + if value == self.sp.default_nameid: + return False + + if self.user.is_admin: + self._debug("Replacing %s: %s -> %s" % (key, + self.sp.default_nameid, + value)) + if not self.sp.is_valid_nameid(value): + raise InvalidValueFormat('Invalid default nameid value') + return {'default_nameid': value} + else: + raise UnauthorizedUser("Unauthorized to set default nameid value") + + def change_allowed_nameids(self, key, value): + v = set([x.strip() for x in value.split(',')]) + if v == set(self.sp.allowed_nameids): + return False + + if self.user.is_admin: + self._debug("Replacing %s: %s -> %s" % (key, + self.sp.allowed_nameids, + list(v))) + for x in v: + if not self.sp.is_valid_nameid(x): + l = ', '.join(self.sp.valid_nameids()) + err = 'Invalid nameid [%s]. Available [%s].' % (x, l) + raise InvalidValueFormat(err) + return {'allowed_nameids': list(v)} + else: + raise UnauthorizedUser("Unauthorized to set alowed nameids values") + + def POST(self, *args, **kwargs): + + message = "Nothing was modified." + message_type = "info" + results = dict() + + try: + for key, value in kwargs.iteritems(): + if key == 'name': + r = self.change_name(key, value) + if r: + results.update(r) + elif key == 'owner': + r = self.change_owner(key, value) + if r: + results.update(r) + + elif key == 'default_nameid': + r = self.change_default_nameid(key, value) + if r: + results.update(r) + + elif key == 'allowed_nameids': + r = self.change_allowed_nameids(key, value) + if r: + results.update(r) + + except InvalidValueFormat, e: + message = str(e) + message_type = "warning" + return self.form_standard(message, message_type) + except UnauthorizedUser, e: + message = str(e) + message_type = "error" + return self.form_standard(message, message_type) + except Exception, e: # pylint: disable=broad-except + self._debug("Error: %s" % repr(e)) + message = "Internal Error" + message_type = "error" + return self.form_standard(message, message_type) + + if len(results) > 0: + try: + if 'name' in results: + self.sp.name = results['name'] + if 'owner' in results: + self.sp.owner = results['owner'] + if 'default_nameid' in results: + self.sp.default_nameid = results['default_nameid'] + if 'allowed_nameids' in results: + self.sp.allowed_nameids = results['allowed_nameids'] + self.sp.save_properties() + if 'rename' in results: + rename = results['rename'] + self.parent.rename_sp(rename[0], rename[1]) + message = "Properties succssfully changed" + message_type = "success" + except Exception: # pylint: disable=broad-except + message = "Failed to save data!" + message_type = "error" + + return self.form_standard(message, message_type) + + def delete(self): + self.parent.del_sp(self.sp.name) + self.sp.permanently_delete() + return self.parent.root() + delete.exposed = True class AdminPage(Page): @@ -29,6 +269,26 @@ class AdminPage(Page): self.providers = [] self.menu = [] self.url = None + self.sp = Page(self._site) + + def add_sp(self, name, sp): + page = SPAdminPage(sp, self._site, self) + self.sp.add_subtree(name, page) + self.providers.append(sp) + return page + + def rename_sp(self, oldname, newname): + page = getattr(self.sp, oldname) + self.sp.del_subtree(oldname) + self.sp.add_subtree(newname, page) + + def del_sp(self, name): + try: + page = getattr(self.sp, name) + self.providers.remove(page.sp) + self.sp.del_subtree(name) + except Exception, e: # pylint: disable=broad-except + self._debug("Failed to remove provider %s: %s" % (name, str(e))) def mount(self, page): self.menu = page.menu @@ -36,9 +296,10 @@ class AdminPage(Page): for p in self.cfg.idp.get_providers(): try: sp = ServiceProvider(self.cfg, p) - self.providers.append(sp) + self.add_sp(sp.name, sp) except Exception, e: # pylint: disable=broad-except self._debug("Failed to find provider %s: %s" % (p, str(e))) + self.add_subtree('new', NewSPAdminPage(self._site, self)) page.add_subtree(self.name, self) def root(self, *args, **kwargs):