cascardo/ipsilon.git
3 years agopam: use a pam object method instead of pam module function master
Thadeu Lima de Souza Cascardo [Thu, 19 Nov 2015 00:17:50 +0000 (22:17 -0200)]
pam: use a pam object method instead of pam module function

authenticate is a method for a pam object. This prevents a 500 error
when using the PAM plugin.

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@cascardo.eti.br>
3 years agoUpdate spec file dependencies on lasso and mellon
John Dennis [Mon, 16 Nov 2015 21:48:09 +0000 (16:48 -0500)]
Update spec file dependencies on lasso and mellon

ECP support requires at least lasso 2.5.0 and at least
mod_auth_mellon 0.11.0. Add these requirements to the
RPM spec file.

Ticket: 139
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoVerify that uploaded files are readable when selected
Rob Crittenden [Tue, 3 Nov 2015 15:26:36 +0000 (10:26 -0500)]
Verify that uploaded files are readable when selected

When selecting a file using file input this doesn't guarantee
that the file contents are readable. No real error is provided
in this case, things just don't work as expected.

When adding a SAML SP and the metadata file or image is provided via
file upload try to read the file in the browser first and pop up an
alert if it is unreadable.

https://fedorahosted.org/ipsilon/ticket/22

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: John Dennis <jdennis@redhat.com>
3 years agoAdd support for IdP-initiated login
Rob Crittenden [Wed, 28 Oct 2015 20:29:57 +0000 (16:29 -0400)]
Add support for IdP-initiated login

This uses the Redirect SSO endpoint and two new optional
arguments: SPIdentifier and RelayState.

SPIdentifier is the provider ID of the SP.
RelayState is where on the SP the user should be sent.

If the user is already authenticted then a SAMLResponse is generated
and the existing HTML page is generated and sent to the user including
this response and the value of RelayState (if any). This will then POST
to the SP and the user will be show the page on the SP.

If the user is not authenticated then they will be given the login page
after which they will be sent to the SP.

The link to the SP on the IdP Portal has changed to be and IdP-initiated
login. If a user bookmarks this link then they will always go to that
SP and be authenticated first, if needed.

https://fedorahosted.org/ipsilon/ticket/138

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: John Dennis <jdennis@redhat.com>
3 years agoBe more verbose when logging errors in info LDAP plugin
Rob Crittenden [Tue, 3 Nov 2015 22:02:04 +0000 (17:02 -0500)]
Be more verbose when logging errors in info LDAP plugin

The infoldap plugin was logging raw exceptions but not providing
any context to them.

This breaks some of the calls into separate try/except to provide
more precise failure reasons.

Also fix a typo in the authldap plugin and handle ValueError
when validating the template syntax.

https://fedorahosted.org/ipsilon/ticket/39

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: John Dennis <jdennis@redhat.com>
3 years agoError messages missing value for format-specifier
John Dennis [Thu, 12 Nov 2015 20:02:33 +0000 (15:02 -0500)]
Error messages missing value for format-specifier

Two error messages were missing the value for the %s format specifier.

Ticket: 201
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
3 years agoipsilon-server-install sometimes fails to log & emit errors
John Dennis [Fri, 13 Nov 2015 20:10:31 +0000 (15:10 -0500)]
ipsilon-server-install sometimes fails to log & emit errors

ipsilon-server-install may silently and immediately fail, nothing is
emitted to the console nor captured in the log file, it's just a
silent complete failure.

An example that reproduces the problem is a hostname without any dots
in it, e.g. "localhost".

The log level is set after some code executes (e.g. arg parsing).
If that code raises an error the exception handler will log it
at the debug level, but because the log level has not been set
yet to debug (it's still at the default error level) the message
is not emitted.

The log level should be set as soon as logging is initialized.

An error message should be emitted to the console, therefore in
additon to the exception handler logging the error to the debug log
along with the stack trace it should also emit just the message to the
console.

Ticket: 202
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoCatch unsigned logout requests and raise a 400 for now
Rob Crittenden [Wed, 21 Oct 2015 20:34:11 +0000 (16:34 -0400)]
Catch unsigned logout requests and raise a 400 for now

A 400 is still going to blow up the logout sequence but
it is better than a 500 and at least tells the user what
is wrong.

This is most likely to be run into during initial SP
testing and not in production.

https://fedorahosted.org/ipsilon/ticket/166

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoHandle user session data for both internal and external authentication
John Dennis [Sat, 10 Oct 2015 14:47:04 +0000 (10:47 -0400)]
Handle user session data for both internal and external authentication

Ipsilon can authtenticate a user by itself via it's own login
handlers (classes derived from `LoginManager`) or it can
capitalize on the authentication provided by the container Ipsilon
is running in (currently WSGI inside Apache). We refer to the
later as "external authentication" because it occurs outside of
Ipsilon. However in both cases there is a common need to execute
the same code irregardless of where the authntication
occurred.

Establish a new mixin class LoginHelper and use it in both the
LoginManagerBase class and the SAML2 SSO SOAP endpoint handler. The
SOAP endpoint handler requires extenal authentication.

LoginHelper.initialize_login_session() performs the common duty of
establishing a login session and binding user attributes to that
session.

LoginHelper.get_external_auth_info() determines if external
authentication has been performed and returns the name of the
principal and the authentication method.

Since SSO_SOAP utilizes external login it needs access to the Info
providers in order to populate the user attributes in the returned
SAML Assertion. The Info provider should be initialized only once and
is done via the normal Ipsilon login provider initialization. SSO_SOAP
obtains a reference to the Info provider bound to the login provider
by accessing the provider._root.login.info member.

In order to access the provider it was advantageous to explictily name
the positional parameters passed to the __init__ calls instead of the
previous practice of passing parameters anonymously in a *args
tuple. In this manner the provider parameter is explicit instead
having used a hardcoded index into the args tuple (e.g. provider =
args[1]). The result is much cleaner, easier to read and more robust
software.

Thus the patch also modifies the __init__ argument list to explictly
pass the site and provider parameters as the first and second
positional parameters instead of having them be anonymously subsumed
in the *args parameter. These parameters must always be passed because
the ProviderPageBase __init__ requires them. Also modify the super
calls used to initialize the parent class to pass the site and
provider parameters. Calls to initialize ProviderPageBase only pass
the site and provider parameters, they do not pass any additional
anonymous parameters from the subclass.

Ticket: 191
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoDon't assume cache_dir is set in conf during uninstall
Rob Crittenden [Wed, 21 Oct 2015 15:30:47 +0000 (11:30 -0400)]
Don't assume cache_dir is set in conf during uninstall

The code was unconditionally retrieving a value from
ipsilon.conf and replacing strings in it. This would fail
if the config file didn't exist, there was no global section
or if cache_dir wasn't there.

https://fedorahosted.org/ipsilon/ticket/186

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoFix wrong attribute name for HTTP response status code
Rob Crittenden [Wed, 21 Oct 2015 14:57:02 +0000 (10:57 -0400)]
Fix wrong attribute name for HTTP response status code

Was using status instead of status_code.

https://fedorahosted.org/ipsilon/ticket/193

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoDon't crash if no NameIdPolicy is requested
Rob Crittenden [Wed, 21 Oct 2015 14:52:38 +0000 (10:52 -0400)]
Don't crash if no NameIdPolicy is requested

This fixes two problems:

1. Logging was done before a None check was completed
2. The None check was insufficient because the whole object
   could be None

https://fedorahosted.org/ipsilon/ticket/189

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoForce cherrypy.log.screen to be True to enable normal logging
Rob Crittenden [Mon, 19 Oct 2015 20:42:42 +0000 (16:42 -0400)]
Force cherrypy.log.screen to be True to enable normal logging

It is needed for all levels of log messages, not just debug.

https://fedorahosted.org/ipsilon/ticket/171

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoFix incorrect raise exception syntax
Rob Crittenden [Mon, 19 Oct 2015 20:31:15 +0000 (16:31 -0400)]
Fix incorrect raise exception syntax

This was causing a logout error to throw an exception in
Ipsilon instead, masking the original error.

https://fedorahosted.org/ipsilon/ticket/195

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoAdd check for permissions on deleting a SAML2 Service Provider
Patrick Uiterwijk [Mon, 12 Oct 2015 16:53:52 +0000 (18:53 +0200)]
Add check for permissions on deleting a SAML2 Service Provider

Fixes: #194
Fixes: CVE-2015-5301

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
3 years agoProperly identify code location of logging message
John Dennis [Sat, 10 Oct 2015 15:09:02 +0000 (11:09 -0400)]
Properly identify code location of logging message

The method Log.call_location() is used to add identifying infomation
about the location in the code where a logging message is emitted
from.  It needs to walk up the stack to bypass calls involved in
logging to find where the call to logging was made. Formerly the code
has a hardcoded offset into the list of stack frame objects. But any
change in the logging implementation perturbs that offset. This patch
fixes that problem by walking up the stack until a non-logging
function is identified.

Ticket: 172
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
3 years agoTransaction object must always have a transaction id
John Dennis [Sat, 10 Oct 2015 15:28:10 +0000 (11:28 -0400)]
Transaction object must always have a transaction id

A Transaction object must always have a transaction id (tid) because a
tid is how a transaction is referenced (e.g. when being stored or
retrieved). The existing code erroneously assumed a tid only needed to
be created if the request contained query or form parameters. This
restriction is now removed, if the transaction id cannot be found as a
request parameter a tid is unconditionally created.

Ticket: 177
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoModify is_lasso_ecp_enabled() to test for library symbol
John Dennis [Mon, 14 Sep 2015 21:24:23 +0000 (17:24 -0400)]
Modify is_lasso_ecp_enabled() to test for library symbol

The function is_lasso_ecp_enabled() in saml2idp.py was testing for a
specific lasso version. That has proved problematic because we've had
too many "unofficial" versions floating around and sometimes the
version check produces the wrong result.

A better test is to test for the presence of a symbol in the lasso
library we know will only be there with full ECP support.

Now we test for the presence of ECP_ERROR_MISSING_AUTHN_REQUEST.

Ticket: 167
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoBump version to 1.1.0 v1.1.0
Patrick Uiterwijk [Sat, 5 Sep 2015 20:58:43 +0000 (22:58 +0200)]
Bump version to 1.1.0

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoMake it possible to use PluginLoader without store
Patrick Uiterwijk [Sat, 5 Sep 2015 00:27:47 +0000 (02:27 +0200)]
Make it possible to use PluginLoader without store

In the case of OpenID extensions, a backend store is not needed
for the PluginLoader, since the IDP Plugin has its own configuration
for enabled extensions.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAlso create plugin UserStore data tables
Patrick Uiterwijk [Fri, 4 Sep 2015 20:28:40 +0000 (22:28 +0200)]
Also create plugin UserStore data tables

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAlso add the store name when reporting data load error
Patrick Uiterwijk [Fri, 4 Sep 2015 20:27:27 +0000 (22:27 +0200)]
Also add the store name when reporting data load error

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoMake the database upgrade system use logger
Patrick Uiterwijk [Fri, 4 Sep 2015 18:46:04 +0000 (20:46 +0200)]
Make the database upgrade system use logger

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoImplement cleanup for OpenIDStore
Patrick Uiterwijk [Fri, 4 Sep 2015 17:37:34 +0000 (19:37 +0200)]
Implement cleanup for OpenIDStore

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoMake it possible to enable database query echoing
Patrick Uiterwijk [Fri, 4 Sep 2015 16:16:51 +0000 (18:16 +0200)]
Make it possible to enable database query echoing

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoImplement cleanup for sessions
Patrick Uiterwijk [Fri, 4 Sep 2015 16:13:39 +0000 (18:13 +0200)]
Implement cleanup for sessions

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoImplement cleeanup for TranStore
Patrick Uiterwijk [Fri, 4 Sep 2015 16:05:33 +0000 (18:05 +0200)]
Implement cleeanup for TranStore

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoImplement automatic database cleanup
Patrick Uiterwijk [Wed, 2 Sep 2015 15:49:08 +0000 (17:49 +0200)]
Implement automatic database cleanup

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoDerive splink when registering SP, allow visible = True in SP portal
Rob Crittenden [Fri, 4 Sep 2015 15:37:09 +0000 (11:37 -0400)]
Derive splink when registering SP, allow visible = True in SP portal

The splink value wasn't being passed when registering a new client.
We don't need to prompt for this since we know it already

Accept 'True' as a value for visible when determining if we
should show a provider on the SP portal page.

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agosaml_base must be a subpath of saml_auth in client installer
Rob Crittenden [Fri, 4 Sep 2015 15:00:09 +0000 (11:00 -0400)]
saml_base must be a subpath of saml_auth in client installer

If the authenticated path doesn't reside under saml_base (which
defaults to /) then mod_auth_mellon can't find the IdP.

https://fedorahosted.org/ipsilon/ticket/163

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewd-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoFlip some debug messages to error messages in SAML2 provider
Rob Crittenden [Fri, 4 Sep 2015 13:53:40 +0000 (09:53 -0400)]
Flip some debug messages to error messages in SAML2 provider

Some failures were only being logged at the debug level which
would be difficult if not impossible to track down on an
operational server. This should give an operator a chance to
figure out what is going on.

https://fedorahosted.org/ipsilon/ticket/159

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoUpdate REST test to include attributes for SP Portal
Rob Crittenden [Wed, 2 Sep 2015 20:55:39 +0000 (16:55 -0400)]
Update REST test to include attributes for SP Portal

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoShip the PatternFlyIcons font in fonts-local.
Rob Crittenden [Wed, 2 Sep 2015 20:13:15 +0000 (16:13 -0400)]
Ship the PatternFlyIcons font in fonts-local.

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoBuild and ship CSS for SP Portal
Rob Crittenden [Wed, 2 Sep 2015 20:12:29 +0000 (16:12 -0400)]
Build and ship CSS for SP Portal

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoRegenerate the CSS, add patternfly and styles
Rob Crittenden [Wed, 2 Sep 2015 20:58:34 +0000 (16:58 -0400)]
Regenerate the CSS, add patternfly and styles

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoCSS for the SP Portal
Rob Crittenden [Wed, 2 Sep 2015 20:16:03 +0000 (16:16 -0400)]
CSS for the SP Portal

This controls the SP tiles and auto-generates an
image for an SP that doesn't have one based on
the first letter of its name.

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoUpdate bootstrap, update/add all of PatternFly, add font-awesome
Rob Crittenden [Wed, 2 Sep 2015 20:54:23 +0000 (16:54 -0400)]
Update bootstrap, update/add all of PatternFly, add font-awesome

These are required for the SP Portal as designed by the UI team.

Some local changes were done to patternfly to fix the location of
bootstrap and font-awesome but it should be fairly similar to
the upstream version.

patternfly 2.0.0
bootstrap 3.3.5
fontawesome 4.3.0

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd CSS to preview an uploaded image
Rob Crittenden [Wed, 2 Sep 2015 21:03:16 +0000 (17:03 -0400)]
Add CSS to preview an uploaded image

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoJavascript for filtering the SP by name and description
Rob Crittenden [Wed, 2 Sep 2015 20:56:26 +0000 (16:56 -0400)]
Javascript for filtering the SP by name and description

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoEnd-user UI for SP Portal
Rob Crittenden [Wed, 2 Sep 2015 20:55:56 +0000 (16:55 -0400)]
End-user UI for SP Portal

Update the root page to include the list of SAML2
Service Providers in a dynamic layout with a
filter which can search on SP name and description.

Hide providers that the admin does not want visible.

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoCreate cache directory for storing images for SP Portal
Rob Crittenden [Wed, 2 Sep 2015 20:53:16 +0000 (16:53 -0400)]
Create cache directory for storing images for SP Portal

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoSP Portal administrative interface
Rob Crittenden [Wed, 2 Sep 2015 20:51:32 +0000 (16:51 -0400)]
SP Portal administrative interface

Add database values for the SP: visible, image, SP link and
description.

Update REST interface to accept values for these attributes.

https://fedorahosted.org/ipsilon/ticket/148

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoClose connections after creating the tables
Patrick Uiterwijk [Thu, 3 Sep 2015 23:32:00 +0000 (01:32 +0200)]
Close connections after creating the tables

This needs to be done manually in the case of upgrades, because
there is no cherrypy end_request to help us close sessions.
Everytime we do a self._query a new connection is allocated, so
we need to make sure to terminate them all.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFix the database upgrade for readonly databases (file-conf)
Patrick Uiterwijk [Thu, 3 Sep 2015 22:55:24 +0000 (00:55 +0200)]
Fix the database upgrade for readonly databases (file-conf)

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd openid_extensions table to be created
Patrick Uiterwijk [Thu, 3 Sep 2015 21:01:56 +0000 (23:01 +0200)]
Add openid_extensions table to be created

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFix database upgrades from partially initialized schema 1 databases
Patrick Uiterwijk [Thu, 3 Sep 2015 19:36:20 +0000 (21:36 +0200)]
Fix database upgrades from partially initialized schema 1 databases

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFix initialization of plugin_data table in AdminStore
Patrick Uiterwijk [Thu, 3 Sep 2015 14:30:47 +0000 (16:30 +0200)]
Fix initialization of plugin_data table in AdminStore

This was created ad-hoc before, but now has to be created by the
upgrade script.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd test suite for database upgrades
Patrick Uiterwijk [Mon, 31 Aug 2015 23:33:02 +0000 (01:33 +0200)]
Add test suite for database upgrades

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoImplement database upgrade for indexes
Patrick Uiterwijk [Mon, 31 Aug 2015 21:48:31 +0000 (23:48 +0200)]
Implement database upgrade for indexes

This implements upgrading from schema version 1 to 2.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd SQL primary key and indexes
Patrick Uiterwijk [Tue, 11 Aug 2015 09:52:13 +0000 (11:52 +0200)]
Add SQL primary key and indexes

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoDefine PAOS AssertionConsumerService in ipsilon-client-install
John Dennis [Thu, 27 Aug 2015 20:34:40 +0000 (16:34 -0400)]
Define PAOS AssertionConsumerService in ipsilon-client-install

A SAML SP will not be able to perform ECP unless a
AssertionConsumerService for the PAOS binding has been defined in it's
metadata. The PAOS AssertionConsumerService participates in the ECP
protocol exchange, specifically it's where the ECP client sends the
IdP Assertion.

If lasso starts to engage in an ECP transaction by trying to generate a
Samlp:AuthnRequest and no PAOS AssertionConsumerService is defined in
the SP metadata it will fail with a unknown provider error.

Note, AssertionConsumerService elements are indexed endpoints, there
may be one per protocol binding. Now that there is more than 1
AssertionConsumerService we set the isDefault flag to True on the
existing post response at index 0. This isn't strictly necessary
because the spec says if the default flag isn't set on any
AssertionConsumerService endpoint then the first one is selected, but
it's good practice anyway.

FWIW, if mod_auth_mellon is not configured with metadata then
mod_auth_mellon will generate it's own metadata which includes the
PAOS AssertionConsumerService. However in ipsilon-client we generate
the SP metadata and were failing to add the PAOS
AssertionConsumerService, something mellon would have done
automatically for us. This is why this bug was only first seen using
ipsilon-client-install.

Ticket: 162
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoRename the SAML2 sessions database to saml2_sessions
Patrick Uiterwijk [Mon, 31 Aug 2015 05:08:05 +0000 (07:08 +0200)]
Rename the SAML2 sessions database to saml2_sessions

This makes it possible to have saml2 sessions and Ipsilon sessions
in the same database without any problems.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoCreate database upgrade framework
Patrick Uiterwijk [Sun, 30 Aug 2015 10:55:21 +0000 (12:55 +0200)]
Create database upgrade framework

This creates a framework for uprading database scheme to the latest version,
and a script that will execute them.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoMove initialization of SAML2 cleanup to init_idp
Patrick Uiterwijk [Sun, 30 Aug 2015 22:56:16 +0000 (00:56 +0200)]
Move initialization of SAML2 cleanup to init_idp

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd city to info plugin, fetch correct attrs in SSSD
Rob Crittenden [Mon, 31 Aug 2015 17:27:58 +0000 (13:27 -0400)]
Add city to info plugin, fetch correct attrs in SSSD

Add missing variable in the info plugins common list
for city.

Fix the mapping in the infosssd plugin where locality
was being passed in as state. It is now set as city
and st as state.

Care needs to be taken with LDAP attributes as Ipsilon
doesn't currently handle attribute aliases.

https://fedorahosted.org/ipsilon/ticket/161

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoFix transaction check
Patrick Uiterwijk [Wed, 19 Aug 2015 03:29:20 +0000 (05:29 +0200)]
Fix transaction check

This fixes OpenID specification compliance, since the main
OpenID endpoint URL needs to serve a non-error result on
query, and the current code would error out.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoValidate options of the LDAP auth plugin on installation
Rob Crittenden [Wed, 19 Aug 2015 14:13:36 +0000 (10:13 -0400)]
Validate options of the LDAP auth plugin on installation

Few of the LDAP options had any validation at all so it was
easy to provide a bad DN template, basedn and server URL.

These types of errors are now sufficient to kill the installer
rather than letting it limp along and hope the user notices the
failures in the output.

https://fedorahosted.org/ipsilon/ticket/40

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoLog a message when authentication is successful but doesn't
Rob Crittenden [Mon, 24 Aug 2015 17:42:19 +0000 (17:42 +0000)]
Log a message when authentication is successful but doesn't

match the NameID required by the SAML request.

https://fedorahosted.org/ipsilon/ticket/157

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoCount IPA as a login plugin when checking for enabled plugins
Rob Crittenden [Mon, 24 Aug 2015 18:27:35 +0000 (18:27 +0000)]
Count IPA as a login plugin when checking for enabled plugins

The installer ensures that at least one login plugin is enabled.
It didn't consider IPA, which automatically enables gssapi,
when doing this calculation. Add a check so that IPA counts as well.

https://fedorahosted.org/ipsilon/ticket/152

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoMake wellknowndir substitution work on Alias line as well.
Jan Pazdziora [Tue, 25 Aug 2015 11:56:35 +0000 (11:56 +0000)]
Make wellknowndir substitution work on Alias line as well.

Signed-off-by: Jan Pazdziora <jpazdziora@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoEnable auto-escaping templates
Patrick Uiterwijk [Tue, 18 Aug 2015 15:10:46 +0000 (17:10 +0200)]
Enable auto-escaping templates

This will prevent most cases of insertion of HTML or other
code into the generated HTML.

Fixes: CVE-2015-5215

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFix permission check on SP update
Patrick Uiterwijk [Tue, 18 Aug 2015 14:26:50 +0000 (16:26 +0200)]
Fix permission check on SP update

The permission check for owner was checking the wrong field,
which would make it possible for anyone to update the Service
Provider owner, making it possible for anyone to change the
SP owner, allowing anyone to change the SP name.

Fixes: CVE-2015-5217

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoReport to user if an LDAP error occurs
Rob Crittenden [Mon, 20 Jul 2015 20:42:36 +0000 (16:42 -0400)]
Report to user if an LDAP error occurs

Catch LDAP errors and display them properly rather than
just dumping the exception.

Rename variable authed to authok.

Add test for case where LDAP server is not started to
confirm the user receives the error alert.

https://fedorahosted.org/ipsilon/ticket/55

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoClear testdir before test run
Patrick Uiterwijk [Tue, 18 Aug 2015 16:36:18 +0000 (18:36 +0200)]
Clear testdir before test run

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMark the service as readonly in the UI in authpam plugin
Rob Crittenden [Fri, 17 Jul 2015 18:07:16 +0000 (14:07 -0400)]
Mark the service as readonly in the UI in authpam plugin

Update the Option class to take a readonly keyword argument,
defaulting to False. Extend its subclasses to pass this value
along.

The page template will add the disabled keyword to input and
textarea if a config option is marked as readonly.

https://fedorahosted.org/ipsilon/ticket/6

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoOnly initialize the Persona IDP when actually enabled
Patrick Uiterwijk [Fri, 17 Jul 2015 14:03:15 +0000 (16:03 +0200)]
Only initialize the Persona IDP when actually enabled

This has the same reasoning as the OpenID patch (commit
ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally
that it will otherwise error on loading the signing key.
(This is not critical though as it will retry loading and
succeed, this is just to make it not spit that error).

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoUse full path when constructing "Other authentication methods"
Rob Crittenden [Thu, 6 Aug 2015 15:12:16 +0000 (15:12 +0000)]
Use full path when constructing "Other authentication methods"

It was previously providing just a relative path and if the paths
overlapped I guess the browser was trying to smash them together.

This would result in a double "gssapi" in the gssapi URL like:

https://my.ipsilon.org/idp/login/gssapi/gssapi/negotiate?ips...

Don't rely on the browser to get the path right, use self.basepath.

https://fedorahosted.org/ipsilon/ticket/153

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoDrop all the calls to .keys() when iterating on the keys of a dict
Pierre-Yves Chibon [Tue, 28 Jul 2015 11:19:49 +0000 (11:19 +0000)]
Drop all the calls to .keys() when iterating on the keys of a dict

When browsing the keys of a dictionary, you can use the ``.keys()`` method but
that is in fact only really useful if you want to store the list of keys first
and act on them (like sorting them or so).
If you just want to iterate through all the keys, no matter the order, then it
is much much faster to just do: ``for key in dict``

Some stats about this can be found there:
http://blog.pingoured.fr/index.php?post/2012/03/12/Python-notes-to-self

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoLog caught exceptions in server installer at debug level
Rob Crittenden [Fri, 17 Jul 2015 15:39:34 +0000 (11:39 -0400)]
Log caught exceptions in server installer at debug level

exception() is a helper that logs a traceback at the ERROR
level. Since the stdout logs at INFO the traceback was going to
both the log file and stdout. We really only want it in the debug
log.

https://fedorahosted.org/ipsilon/ticket/143

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoSet the value of WantAuthnRequestsSigned to True
Rob Crittenden [Fri, 17 Jul 2015 20:15:35 +0000 (16:15 -0400)]
Set the value of WantAuthnRequestsSigned to True

The spec says the default should be False if not specified
but lasso sets it to true unless it is explicitly set to
False. So let's be explicit and set it to True.

https://fedorahosted.org/ipsilon/ticket/136

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoInclude timezone in metadata validUntil value and use UTC time
Rob Crittenden [Thu, 16 Jul 2015 18:04:56 +0000 (14:04 -0400)]
Include timezone in metadata validUntil value and use UTC time

The python datetime module doesn't append the timezone in its
isoformat() output, so add a Z indicating that the time is
UTC time. Also generate the output using utcnow() rather than
now() so the times line up.

https://fedorahosted.org/ipsilon/ticket/137

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoOnly initialize the SAML IDP when actually enabled
Patrick Uiterwijk [Fri, 17 Jul 2015 13:57:28 +0000 (15:57 +0200)]
Only initialize the SAML IDP when actually enabled

This has the same reasoning as the OpenID patch (commit
ac7c20cca81c3d23ee66f224030b316bdff2274a), with additionally
that it will otherwise error on finding the metadata.
(This is not critical though as it will retry loading and
succeed, this is just to make it not spit that error).

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoRefactor SP generation to simplify logout testing
Rob Crittenden [Mon, 13 Jul 2015 20:32:02 +0000 (16:32 -0400)]
Refactor SP generation to simplify logout testing

This adds the ability to quickly and easily add more SPs as needed
to test more complex logout scenarios.

Create five SP's, two of which support only HTTP-Redirect to ensure
that logout works in a mixed environment.

https://fedorahosted.org/ipsilon/ticket/59

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd client install option to disable logout over SOAP
Rob Crittenden [Mon, 13 Jul 2015 21:43:20 +0000 (17:43 -0400)]
Add client install option to disable logout over SOAP

This is at least somewhat for testing to ensure that
a mixed environment works but HTTP Redirect is the
recommended mechanism in the spec so some may want
to use only that.

https://fedorahosted.org/ipsilon/ticket/59

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd support for logout over SOAP
Rob Crittenden [Thu, 25 Jun 2015 15:00:59 +0000 (11:00 -0400)]
Add support for logout over SOAP

As each login session comes in, store the supported logout
mechanisms in the SP metadata.

Upon a logout request, loop through all of those SP's that
support SOAP and log those out first, then log out any
remaining sessions using HTTP Redirect.

https://fedorahosted.org/ipsilon/ticket/59

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoReturn PAM errors from mod_intercept_form_submit
Rob Crittenden [Tue, 14 Jul 2015 19:35:21 +0000 (15:35 -0400)]
Return PAM errors from mod_intercept_form_submit

This fixes several problems:

1. The PAM error was being retrieved from the wrong location
2. The error was not always logged properly
3. The error was not propogated up
4. Even if the error had been propgated up the auth_failed
   routine failed to pass it to the error page template.

A dictionary is used to translate the PAM errors into something
more consulable. This can be used eventually to translate
into other languages.

https://fedorahosted.org/ipsilon/ticket/69

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoOnly initialize the OpenID IDP when actually enabled
Patrick Uiterwijk [Wed, 8 Jul 2015 10:37:04 +0000 (12:37 +0200)]
Only initialize the OpenID IDP when actually enabled

This is needed because otherwise it will try to set the database schema version
before it read the configuration for providers, which means it will do this
in the default (openid.sqlite) database file.
If you are running as a non-privileged user (as your should) with the working
directory pointing somewhere this user is unable to write, this means it will
fail to write this.

Note: the working directory is not in the default wsgi file, which means that
people using that will not likely hit this bug.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoReplace some type(...) checks with isinstance(...)
Patrick Uiterwijk [Wed, 8 Jul 2015 01:01:50 +0000 (03:01 +0200)]
Replace some type(...) checks with isinstance(...)

This is needed because otherwise the pylint version in
Fedora 22 will complain.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoDefault --saml-sp-logout/post base on --saml-sp
Jamie Lennox [Mon, 6 Jul 2015 05:08:33 +0000 (05:08 +0000)]
Default --saml-sp-logout/post base on --saml-sp

In ipsilon-client-install salow setting only --saml-sp and have
--saml-sp-logout and --saml-sp-post values based upon the provided value
rather than complaining that the defaults are wrong.

Closes-Ticket: 145
Signed-off-by: Jamie Lennox <jamielennox@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoAdd missing requirement on mod_ssl for ipsilon-client
Patrick Uiterwijk [Mon, 22 Jun 2015 15:38:33 +0000 (17:38 +0200)]
Add missing requirement on mod_ssl for ipsilon-client

https://fedorahosted.org/ipsilon/ticket/144

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoipsilon-client-install give password in env. var.
Rich Megginson [Mon, 8 Jun 2015 22:22:27 +0000 (16:22 -0600)]
ipsilon-client-install give password in env. var.

https://fedorahosted.org/ipsilon/ticket/142

If --admin-password is not given, see if the IPSILON_ADMIN_PASSWORD
environment variable is set, and use it for the admin_password, before
doing getpass().

Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoBump version for 1.0.0 release v1.0.0
Patrick Uiterwijk [Mon, 11 May 2015 23:12:15 +0000 (01:12 +0200)]
Bump version for 1.0.0 release

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoInstall man pages for client and server
Rob Crittenden [Wed, 6 May 2015 22:22:55 +0000 (18:22 -0400)]
Install man pages for client and server

This includes the man pages for the installers and for
ipsilon.conf.

https://fedorahosted.org/ipsilon/ticket/34

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd man page for ipsilon.conf.
Rob Crittenden [Thu, 7 May 2015 20:34:27 +0000 (16:34 -0400)]
Add man page for ipsilon.conf.

https://fedorahosted.org/ipsilon/ticket/34

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd more text to ipsilon(7) man page
Rob Crittenden [Thu, 7 May 2015 18:55:20 +0000 (14:55 -0400)]
Add more text to ipsilon(7) man page

https://fedorahosted.org/ipsilon/ticket/34

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoipsilon-server-install man page
Rob Crittenden [Wed, 6 May 2015 22:15:15 +0000 (18:15 -0400)]
ipsilon-server-install man page

https://fedorahosted.org/ipsilon/ticket/34

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoipsilon-client-install man page
Rob Crittenden [Wed, 6 May 2015 18:54:19 +0000 (14:54 -0400)]
ipsilon-client-install man page

https://fedorahosted.org/ipsilon/ticket/34

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd logout to pgdb, fix name in tests
Rob Crittenden [Mon, 11 May 2015 22:15:51 +0000 (18:15 -0400)]
Add logout to pgdb, fix name in tests

Add a logout to the postgres test to ensure that sessions are
updated properly on logout.

Fix the name in the tests, it was test1.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoUse plugin-specific configuration, better expiration
Rob Crittenden [Mon, 11 May 2015 22:14:42 +0000 (18:14 -0400)]
Use plugin-specific configuration, better expiration

Use a SAML2 plugin specific option to specify the database uri
for sessions.

Use a much more robust method to find sessions that need
expiration (thanks Patrick).

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoRemove expired SAML2 sessions
Rob Crittenden [Mon, 20 Apr 2015 20:44:41 +0000 (16:44 -0400)]
Remove expired SAML2 sessions

Run a cherrypy background task to sift through the sessions
database and find expired entries and remove them.

From my testing if a previous execution of the background task
is still executing when the next one is scheduled to run, it will
skip it. In other words, you can't end up with multiple expirations
running at the same time.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoUpdate IdP-initiated logout to use SAML2 Store
Rob Crittenden [Tue, 21 Apr 2015 13:44:04 +0000 (09:44 -0400)]
Update IdP-initiated logout to use SAML2 Store

This moves the order in which the "fake" session is created and
it gives it a unique ID rather than using a fixed value.

Rely on the LogoutRequest request ID so we can get the
order of logout correct.

The basic idea is a logout request is created for the IdP
containing the URL of the IdP itself as the RelayState. A
session is picked and a LogoutRequest generated and sent.

There will be a LogoutRequest/LogoutResponse back and forth
until there are no more sessions to log out. The last
session will be this "fake" session that started it all
and the user will be redirected to the main page of the IdP.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoConvert logout code to use SAML2 Store
Rob Crittenden [Tue, 21 Apr 2015 13:40:30 +0000 (09:40 -0400)]
Convert logout code to use SAML2 Store

This is functionally the same. The primary differences are:

- When logging out, fetch all requested session indexes in the
  LogoutRequest.
- Store the LogoutRequest request ID to be used later when a
  LogoutResponse is received to look up the logout.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoCreate a SAML2 session during login
Rob Crittenden [Tue, 21 Apr 2015 13:38:14 +0000 (09:38 -0400)]
Create a SAML2 session during login

Use the updated session API to create a SAML2 session.
Note that each session is stored discretely. Previously if
a session for a provider already existed then that one session
held all the session indexes. Now if a new session comes in
it is added separately. During logout all sessions for a provider
are retrieved and all logged-in sessions sent to the SP to
log out.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoChange SAML2 sessions backend to use Store API
Rob Crittenden [Tue, 21 Apr 2015 13:35:25 +0000 (09:35 -0400)]
Change SAML2 sessions backend to use Store API

The basic session API remains the same, just replace
the calls to pull data out of the user session to
instead pull from the database.

The per-session logout state is now a constant rather than
being a member of either the logged_in or logging_out
dictionaries.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoConfigure the SAML2 session database during installation
Rob Crittenden [Tue, 21 Apr 2015 13:34:41 +0000 (09:34 -0400)]
Configure the SAML2 session database during installation

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd support for storing SAML2 sessions
Rob Crittenden [Tue, 21 Apr 2015 13:30:31 +0000 (09:30 -0400)]
Add support for storing SAML2 sessions

Store SAML2 session information in a table rather than with the
user entry so sessions can be persisted past IdP restarts and if
the user accesses the system via multiple browsers SLO will log
out all sessions, not just the user session that initiated the
logout.

https://fedorahosted.org/ipsilon/ticket/90

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd uninstallation support to infosssd
Patrick Uiterwijk [Fri, 8 May 2015 16:30:02 +0000 (18:30 +0200)]
Add uninstallation support to infosssd

This should make it revert any changes it made during
installation.

https://fedorahosted.org/ipsilon/ticket/67

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoImplement change registration
Patrick Uiterwijk [Fri, 8 May 2015 16:12:06 +0000 (18:12 +0200)]
Implement change registration

This will make it possible for plugins to register what they
have changed during installation, so that they can revert
any changes they made during the uninstallation.

https://fedorahosted.org/ipsilon/ticket/67

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd database schema versioning
Patrick Uiterwijk [Fri, 8 May 2015 14:56:36 +0000 (16:56 +0200)]
Add database schema versioning

With this skeleton code we can add upgrade code
if we ever change the database schema.

https://fedorahosted.org/ipsilon/ticket/56

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoImplement ECP in Ipsilon
John Dennis [Mon, 26 Jan 2015 21:04:40 +0000 (16:04 -0500)]
Implement ECP in Ipsilon

* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
  if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
  and other HTTP concepts are expected. Each handler is responsible
  for setting the binding.
* add some constants needed for ECP

https://fedorahosted.org/ipsilon/ticket/4

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>