We were previously only validating the SP name in the admin pages
for SP creation and update. The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.
This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code. This
ensures that validation will occur regardless of the interface
that is used. In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.
https://fedorahosted.org/ipsilon/ticket/102
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
from ipsilon.providers.saml2.provider import ServiceProvider
from ipsilon.providers.saml2.provider import ServiceProviderCreator
from ipsilon.providers.saml2.provider import InvalidProviderId
from ipsilon.providers.saml2.provider import ServiceProvider
from ipsilon.providers.saml2.provider import ServiceProviderCreator
from ipsilon.providers.saml2.provider import InvalidProviderId
-VALID_IN_NAME = r'[^\ a-zA-Z0-9]'
-
-
class NewSPAdminPage(AdminPage):
def __init__(self, site, parent):
class NewSPAdminPage(AdminPage):
def __init__(self, site, parent):
cherrypy.request.content_type,))
for key, value in kwargs.iteritems():
if key == 'name':
cherrypy.request.content_type,))
for key, value in kwargs.iteritems():
if key == 'name':
- if re.search(VALID_IN_NAME, value):
- message = "Invalid name!" \
- " Use only numbers and letters"
- message_type = ADMIN_STATUS_ERROR
- return self.form_new(message, message_type)
-
name = value
elif key == 'metatext':
if len(value) > 0:
name = value
elif key == 'metatext':
if len(value) > 0:
return False
if self.user.is_admin or self.user.name == self.sp.owner:
return False
if self.user.is_admin or self.user.name == self.sp.owner:
- if re.search(VALID_IN_NAME, value):
+ if not self.sp.is_valid_name(value):
err = "Invalid name! Use only numbers and letters"
raise InvalidValueFormat(err)
err = "Invalid name! Use only numbers and letters"
raise InvalidValueFormat(err)
from ipsilon.tools.saml2metadata import SAML2_NAMEID_MAP
from ipsilon.util.log import Log
import lasso
from ipsilon.tools.saml2metadata import SAML2_NAMEID_MAP
from ipsilon.util.log import Log
import lasso
+import re
+
+
+VALID_IN_NAME = r'[^\ a-zA-Z0-9]'
class InvalidProviderId(ProviderException):
class InvalidProviderId(ProviderException):
return username.split('@', 1)[0]
return username
return username.split('@', 1)[0]
return username
+ def is_valid_name(self, value):
+ if re.search(VALID_IN_NAME, value):
+ return False
+ return True
+
def is_valid_nameid(self, value):
if value in SAML2_NAMEID_MAP:
return True
def is_valid_nameid(self, value):
if value in SAML2_NAMEID_MAP:
return True
def create_from_buffer(self, name, metabuf):
'''Test and add data'''
def create_from_buffer(self, name, metabuf):
'''Test and add data'''
+ if re.search(VALID_IN_NAME, name):
+ raise InvalidProviderId("Name must contain only "
+ "numbers and letters")
+
test = lasso.Server()
test.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, metabuf)
newsps = test.get_providers()
test = lasso.Server()
test.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, metabuf)
newsps = test.get_providers()
'saml_auth': '/sp',
'httpd_user': '${TEST_USER}'}
'saml_auth': '/sp',
'httpd_user': '${TEST_USER}'}
+sp3_g = {'HTTPDCONFD': '${TESTDIR}/${NAME}/conf.d',
+ 'SAML2_TEMPLATE': '${TESTDIR}/templates/install/saml2/sp.conf',
+ 'SAML2_CONFFILE': '${TESTDIR}/${NAME}/conf.d/ipsilon-saml.conf',
+ 'SAML2_HTTPDIR': '${TESTDIR}/${NAME}/saml2'}
+
+
+sp3_a = {'hostname': '${ADDRESS}:${PORT}',
+ 'saml_idp_metadata': 'http://127.0.0.10:45080/idp1/saml2/metadata',
+ 'saml_secure_setup': 'False',
+ 'saml_auth': '/sp',
+ 'httpd_user': '${TEST_USER}'}
+
def fixup_sp_httpd(httpdir, alias):
location = """
def fixup_sp_httpd(httpdir, alias):
location = """
print "Starting SP's httpd server"
self.start_http_server(conf, env)
print "Starting SP's httpd server"
self.start_http_server(conf, env)
+ print "Installing third SP server"
+ name = 'sp3.invalid'
+ addr = '127.0.0.10'
+ port = '45083'
+ sp3 = self.generate_profile(sp3_g, sp3_a, name, addr, port)
+ conf = self.setup_sp_server(sp3, name, addr, port, env)
+ fixup_sp_httpd(os.path.dirname(conf), name)
+
+ print "Starting SP's httpd server"
+ self.start_http_server(conf, env)
+
if __name__ == '__main__':
idpname = 'idp1'
spname = 'sp1'
sp2name = 'sp2'
if __name__ == '__main__':
idpname = 'idp1'
spname = 'sp1'
sp2name = 'sp2'
+ sp3name = 'sp3.invalid'
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'http://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(spname, 'http://127.0.0.11:45081')
sess.add_server(sp2name, 'http://127.0.0.10:45082')
user = pwd.getpwuid(os.getuid())[0]
sess = HttpSessions()
sess.add_server(idpname, 'http://127.0.0.10:45080', user, 'ipsilon')
sess.add_server(spname, 'http://127.0.0.11:45081')
sess.add_server(sp2name, 'http://127.0.0.10:45082')
+ sess.add_server(sp3name, 'http://127.0.0.10:45083')
print "testrest: Authenticate to IDP ...",
try:
print "testrest: Authenticate to IDP ...",
try:
# Now for some negative testing
# Now for some negative testing
+ print "testrest: Add illegally named Service Provider via REST ...",
+ try:
+ sess.add_sp_metadata(idpname, sp3name, rest=True)
+ except ValueError, e:
+ print " SUCCESS"
+ else:
+ print >> sys.stderr, "ERROR: " \
+ "Adding SP with invalid name should have failed and it didn't"
+ sys.exit(1)
+
print "testrest: Fetch non-existent REST endpoint ...",
try:
result = sess.fetch_rest_page(
print "testrest: Fetch non-existent REST endpoint ...",
try:
result = sess.fetch_rest_page(