cascardo/ipsilon.git
4 years agoAssertion AttributeStatements must be non-empty
John Dennis [Wed, 18 Mar 2015 21:14:07 +0000 (17:14 -0400)]
Assertion AttributeStatements must be non-empty

The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.

https://fedorahosted.org/ipsilon/ticket/61

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoAllow SP installation to be on non-standard ports
Nathan Kinder [Sat, 14 Mar 2015 17:00:51 +0000 (10:00 -0700)]
Allow SP installation to be on non-standard ports

When setting up a SP using ipsilon-client-install, there is no
ability to use a non-standard port.  We should allow a port number
to be specified that results in the proper URLs in the SP metadata.

This patch adds a --port option to ipsilon-client-install.  This is
used in the construction of the URLs used in the SP metadata as well
as in the httpd redirect rules if httpd is being configured.

https://fedorahosted.org/ipsilon/ticket/92

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoProperly handle groups info in SAML provider
Simo Sorce [Tue, 17 Mar 2015 17:22:06 +0000 (13:22 -0400)]
Properly handle groups info in SAML provider

Also removes internal attributes (any attribute that starts with _

Fixes: https://fedorahosted.org/ipsilon/ticket/71

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoAdd negative authentication test
Simo Sorce [Wed, 18 Mar 2015 00:18:21 +0000 (20:18 -0400)]
Add negative authentication test

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoFix error returned from login plugins
Simo Sorce [Tue, 17 Mar 2015 23:01:59 +0000 (19:01 -0400)]
Fix error returned from login plugins

Some login plugins use form based authentication and let the user retry
on authentication errors. This is fine, however the wrong error code is
returned in this case, 401 should be returned.

Fixes: https://fedorahosted.org/ipsilon/ticket/94

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoMake SSSD Info enable the httpd_dbus_sssd boolean.
Patrick Uiterwijk [Mon, 16 Mar 2015 14:07:41 +0000 (15:07 +0100)]
Make SSSD Info enable the httpd_dbus_sssd boolean.

https://fedorahosted.org/ipsilon/ticket/23#comment:13

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoBuild dated RPMs by default
Patrick Uiterwijk [Mon, 16 Mar 2015 14:16:03 +0000 (15:16 +0100)]
Build dated RPMs by default

This stores the build date and git commit in the version.
This way, it's a lot easier to determine when it was last built.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoSave user attributes on subsequent calls to login.
Rob Crittenden [Mon, 16 Mar 2015 18:34:24 +0000 (14:34 -0400)]
Save user attributes on subsequent calls to login.

When a login comes in via the remote_login() call no
user attributes are set. These may be later filled in by
a subsequent call to login() after the info plugins are
called but a short-circuit in that function exits if the
user matches the current session.

Add an extra conditional such that if the user matches,
userattributes are passed in and the current user attributes
for this user is empty then save the new data.

https://fedorahosted.org/ipsilon/ticket/86

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoUse the IPA API directly when adding the HTTP principal
Rob Crittenden [Fri, 13 Mar 2015 18:56:26 +0000 (14:56 -0400)]
Use the IPA API directly when adding the HTTP principal

This is the only way to force in a custom version string
so that the remote IPA server doesn't reject the request
as being newer than the server.

This also removes the need to iterate over all servers
as the IPA connection API does this automatically.

https://fedorahosted.org/ipsilon/ticket/47

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoFix some pylint warnings in logout test about shadowing variables.
Rob Crittenden [Mon, 16 Mar 2015 20:39:02 +0000 (16:39 -0400)]
Fix some pylint warnings in logout test about shadowing variables.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoAdd test for multi-SP logout
Rob Crittenden [Wed, 4 Mar 2015 22:49:40 +0000 (17:49 -0500)]
Add test for multi-SP logout

Create an additional SP, log into one, fetch the other and
the client is now logged into both. Log out of the first one
and the client is logged out of both.

https://fedorahosted.org/ipsilon/ticket/58

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoSet MALLOC_CHECK_ and MALLOC_PERTURB_ to catch memory problems
Rob Crittenden [Wed, 4 Mar 2015 22:36:29 +0000 (17:36 -0500)]
Set MALLOC_CHECK_ and MALLOC_PERTURB_ to catch memory problems

MALLOC_CHECK_ set to 3 should abort if a memory problem is found.

MALLOC_PERTURB_ should catch any usage of freed memory.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoEnable Apache access log and core dump in tests
Rob Crittenden [Wed, 4 Mar 2015 22:33:31 +0000 (17:33 -0500)]
Enable Apache access log and core dump in tests

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoDon't explicitly save sessions
Nathan Kinder [Wed, 11 Mar 2015 23:51:29 +0000 (16:51 -0700)]
Don't explicitly save sessions

Saving a session causes it to be unlocked, but sessions have a
hook that also performs a save just before the session is finalized.
In CherryPy 3.3.0 and later, an assertion was added to ensure that
a session is locked when trying to perform a save.  Since we perform
explicit saves in our code, this causes the assertion to be tripped
when the hook executes.

This patch removes our explicit save calls.  We should rely on the
hook to save and unlock the session.

https://fedorahosted.org/ipsilon/ticket/84

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoProper fallback from referer to REQUEST_URI
Simo Sorce [Thu, 12 Mar 2015 17:51:04 +0000 (13:51 -0400)]
Proper fallback from referer to REQUEST_URI

If the referer is present but does not contain a transaction ID we still
need to fallback to the REQUEST_URI. Fix the code to check the url and
then fallback to REQUEST_URI rathe than decide upfront merely on the
fact a referer is available.

https://fedorahosted.org/ipsilon/ticket/74

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoValidate SP path settings during installation
Nathan Kinder [Wed, 11 Mar 2015 03:02:07 +0000 (20:02 -0700)]
Validate SP path settings during installation

There are a number of URL path options that can be specified as
options when running ipsilon-client-install. There are certain
rules that must be followed to result in a valid mod_auth_mellon
configuration:

 - All path options must be prefixed with '/'.

 - The mellon endpoint path (--saml-sp) must be a subpath of the
   httpd 'Location' element is it contained within (--saml-base).

 - The logout (--saml-sp-logout) and post (--saml-sp-post) paths
   must be subpaths of the mellon endpoint (--saml-sp).

This adds validation for all of the above rules.

https://fedorahosted.org/ipsilon/ticket/82

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd mod_wsgi display name for Ipsilon WSGI process
Nathan Kinder [Wed, 11 Mar 2015 03:12:03 +0000 (20:12 -0700)]
Add mod_wsgi display name for Ipsilon WSGI process

This adds the mod_wsgi display-name setting to allow the Ipsilon
WSGI process to show up with a useful process name instead of
'httpd'.  This allows one to easily distinguish the WSGI process
from other httpd processes.

https://fedorahosted.org/ipsilon/ticket/62

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd Cache-Control header to prevent browser caching of SAML auth location
Nathan Kinder [Tue, 10 Mar 2015 18:22:47 +0000 (11:22 -0700)]
Add Cache-Control header to prevent browser caching of SAML auth location

We should prevent browser caching of the SAML auth location that we
configure for an SP. This can be easily done by adding the following
directive to that location in the httpd config:

    Header append Cache-Control "no-cache"

https://fedorahosted.org/ipsilon/ticket/81

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoRequire SSL on SP when using --saml-secure-setup
Nathan Kinder [Tue, 10 Mar 2015 03:28:47 +0000 (20:28 -0700)]
Require SSL on SP when using --saml-secure-setup

If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication.  We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.

This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified.  In addition, we add a
rewrite rule to rewrite http requests to https for the SP.

https://fedorahosted.org/ipsilon/ticket/80

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoFind transaction ids for internal redirects
Simo Sorce [Fri, 6 Mar 2015 17:12:00 +0000 (12:12 -0500)]
Find transaction ids for internal redirects

On internal redirections, such as when ErrorDocument is used to
redirect on failed negotiate authentication we need to look harder
for the transaction id.

Ticket: #74

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
4 years agoFix transaction ID passing for failed authentication
Patrick Uiterwijk [Tue, 3 Mar 2015 03:39:05 +0000 (04:39 +0100)]
Fix transaction ID passing for failed authentication

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoRequire admin when accessing REST pages
Rob Crittenden [Mon, 2 Mar 2015 19:47:22 +0000 (14:47 -0500)]
Require admin when accessing REST pages

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoInstall and package the new REST components
Rob Crittenden [Mon, 2 Mar 2015 19:47:07 +0000 (14:47 -0500)]
Install and package the new REST components

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd test for REST Service Provider GET and POST
Rob Crittenden [Fri, 27 Feb 2015 03:33:20 +0000 (22:33 -0500)]
Add test for REST Service Provider GET and POST

Provision two Service Providers then test:

- We can fetch a blank list of SPs
- Add an SP via the admin interface
- We get list of all SPs and that is it
- Add an SP via POST
- We get list of all SPs and now there are two
- We get a specific SP and confirm we got the right one.

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoBreak out getting SP metadata into a separate test helper
Rob Crittenden [Fri, 27 Feb 2015 03:25:05 +0000 (22:25 -0500)]
Break out getting SP metadata into a separate test helper

This allows us to get the metadata for creation via REST POST

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoLoad and initialize REST in the SAML2 plugin
Rob Crittenden [Thu, 26 Feb 2015 20:56:55 +0000 (15:56 -0500)]
Load and initialize REST in the SAML2 plugin

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoImplement GET and POST REST API for Service Providers
Rob Crittenden [Thu, 26 Feb 2015 20:57:20 +0000 (15:57 -0500)]
Implement GET and POST REST API for Service Providers

The mount point is /idp/rest/providers/saml2/SPS.

GET .../SPS will retrieve all Service Providers
GET .../SPS/foo will retrieve the Service Provider named foo
POST .../SPS/foo will create the Service Provider named foo

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoLoad REST plugins onto the Root object
Rob Crittenden [Thu, 26 Feb 2015 20:55:00 +0000 (15:55 -0500)]
Load REST plugins onto the Root object

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoAdd base REST provider framework classes
Rob Crittenden [Thu, 26 Feb 2015 20:50:37 +0000 (15:50 -0500)]
Add base REST provider framework classes

These classes handle mounting the REST plugins.

The starting mount point is: /idp/rest/providers

https://fedorahosted.org/ipsilon/ticket/26

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoChange root class of Page from Log to Endpoint
Rob Crittenden [Wed, 25 Feb 2015 15:13:26 +0000 (10:13 -0500)]
Change root class of Page from Log to Endpoint

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoLow-level class for managing request endpoints
Rob Crittenden [Fri, 20 Feb 2015 15:57:32 +0000 (10:57 -0500)]
Low-level class for managing request endpoints

An Endpoint is different from a Page in that it doesn't have menus,
templates, transactions, etc. It is only defines a URL that can be
mounted.

https://fedorahosted.org/ipsilon/ticket/38

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoBump version numbers for release v0.4.0 v0.4.0
Patrick Uiterwijk [Fri, 27 Feb 2015 08:27:34 +0000 (09:27 +0100)]
Bump version numbers for release v0.4.0

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd uninstallation support.
Patrick Uiterwijk [Wed, 4 Feb 2015 09:58:14 +0000 (10:58 +0100)]
Add uninstallation support.

As part of this, made all plugins use a Installer baseclass.

https://fedorahosted.org/ipsilon/ticket/38

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAvoid attrs test flakines, stop using info_nss
Simo Sorce [Tue, 24 Feb 2015 22:34:09 +0000 (17:34 -0500)]
Avoid attrs test flakines, stop using info_nss

authtest already sets the fullname attribute,
just use that one instead of relying on nss which, on test systems
may have a completely empty gecos field, which makes the test fail.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoSplit tools between components that require them
Patrick Uiterwijk [Tue, 24 Feb 2015 21:17:23 +0000 (22:17 +0100)]
Split tools between components that require them

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
4 years ago__init__ needs to be in the main package
Patrick Uiterwijk [Tue, 24 Feb 2015 21:02:58 +0000 (22:02 +0100)]
__init__ needs to be in the main package

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoBump spec file
Patrick Uiterwijk [Tue, 24 Feb 2015 20:34:44 +0000 (21:34 +0100)]
Bump spec file

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoDo not require ipsilon-tools
Patrick Uiterwijk [Tue, 24 Feb 2015 19:59:48 +0000 (20:59 +0100)]
Do not require ipsilon-tools

If you want to install without the installer, it's not required

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoSplit the installer into -tools
Patrick Uiterwijk [Tue, 24 Feb 2015 20:23:44 +0000 (21:23 +0100)]
Split the installer into -tools

The installer is not needed if you deploy with config management

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoSplit off authform
Patrick Uiterwijk [Tue, 24 Feb 2015 19:47:27 +0000 (20:47 +0100)]
Split off authform

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMake the configparser case sensitive.
Patrick Uiterwijk [Tue, 24 Feb 2015 16:48:24 +0000 (17:48 +0100)]
Make the configparser case sensitive.

Per the instructions of
https://docs.python.org/2/library/configparser.html#ConfigParser.RawConfigParser.optionxform

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMake available case insensitive mapping matching
Simo Sorce [Mon, 23 Feb 2015 20:25:09 +0000 (15:25 -0500)]
Make available case insensitive mapping matching

If ignore_case is True then the incomping attributes are matched
case-insensitively in the policy engine.
The CAse of the incoming attribute is not changed on wildcard
matches. On ther matches attributes will be replaced according
to the mapping tables and the case used will be that of the
mapped attributes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoUse the new Policy engine for login/info mapping
Simo Sorce [Mon, 23 Feb 2015 04:53:33 +0000 (23:53 -0500)]
Use the new Policy engine for login/info mapping

The InfoMapping class is now only used to prettify the default
set of wellknown attributes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd dynamic list to plugin_config forms
Simo Sorce [Sun, 22 Feb 2015 22:12:13 +0000 (17:12 -0500)]
Add dynamic list to plugin_config forms

This little javascript allows us to dyamically add form fields in
the ComplexList and MappingList tables. Makes it much easier to add
elements to these lists.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoHandle changing MappingList options
Simo Sorce [Sun, 22 Feb 2015 20:14:44 +0000 (15:14 -0500)]
Handle changing MappingList options

Add admin function to handle getting a MappingList object in
form of key/value pair fields.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoHandle changing ComplexList options
Simo Sorce [Sun, 22 Feb 2015 19:55:35 +0000 (14:55 -0500)]
Handle changing ComplexList options

Add admin function to handle getting a ComplexList object in
form of key/value pair fields.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoDo not crash on failure to load config
Simo Sorce [Sun, 22 Feb 2015 19:54:35 +0000 (14:54 -0500)]
Do not crash on failure to load config

Just report an error and continue with default values.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd support for new options to plugin_config.html
Simo Sorce [Wed, 18 Feb 2015 19:27:58 +0000 (14:27 -0500)]
Add support for new options to plugin_config.html

This add support in the template for showing ComplexList and
MappingList options.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd support for attribute policies in openidp
Simo Sorce [Mon, 16 Feb 2015 18:47:33 +0000 (13:47 -0500)]
Add support for attribute policies in openidp

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd support for attribute policies in samlidp
Simo Sorce [Mon, 16 Feb 2015 16:13:29 +0000 (11:13 -0500)]
Add support for attribute policies in samlidp

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd config option to load mapping lists
Simo Sorce [Mon, 16 Feb 2015 15:14:33 +0000 (10:14 -0500)]
Add config option to load mapping lists

This requires careful handling, and should be used sparingly

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd Policy class to help filter attributes
Simo Sorce [Mon, 16 Feb 2015 14:33:07 +0000 (09:33 -0500)]
Add Policy class to help filter attributes

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoPrefix userdata hives with _ to avoid conflicts
Simo Sorce [Mon, 16 Feb 2015 19:04:49 +0000 (14:04 -0500)]
Prefix userdata hives with _ to avoid conflicts

The main userdata dict contains common attributes, but we add
a sepcial groups list and unmapped extras, as well as indicators
like auth_type.
All these additional attributes are now prefixed by a _ character
so that conflicts with legitimate attributes are improbable.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoChange attrs test to check for fullname
Simo Sorce [Mon, 16 Feb 2015 23:15:17 +0000 (18:15 -0500)]
Change attrs test to check for fullname

We are not going to return 'extras' by default, and the only
nss attribute mapped to the 'userdata' space is the gecos (as 'fullname')

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoFix typos in openid provider comments
Simo Sorce [Mon, 16 Feb 2015 18:32:14 +0000 (13:32 -0500)]
Fix typos in openid provider comments

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoFix RPM field seperator
Patrick Uiterwijk [Fri, 20 Feb 2015 13:28:23 +0000 (14:28 +0100)]
Fix RPM field seperator

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd info plugin that utilizes Apache mod_lookup_identity plugin
Rob Crittenden [Thu, 12 Feb 2015 16:49:20 +0000 (11:49 -0500)]
Add info plugin that utilizes Apache mod_lookup_identity plugin

mod_look_identity looks up identity information from sssd over
dbus, making additional identity attributes available.

https://fedorahosted.org/ipsilon/ticket/31

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoLet the plugin configure calls notice failures.
Rob Crittenden [Fri, 13 Feb 2015 19:12:55 +0000 (14:12 -0500)]
Let the plugin configure calls notice failures.

The call to configure the info/login/auth/provider plugins
had no way of recognizing that the configuration failed. Have it
check for an explicit False return value as an indication of failure.

This lets the configuration plugin do a simple return (None) if
it isn't enabled.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoFix typo in nss and infoldap info plugins
Rob Crittenden [Fri, 13 Feb 2015 15:21:53 +0000 (10:21 -0500)]
Fix typo in nss and infoldap info plugins

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoTest for Single Logout Service
Rob Crittenden [Fri, 30 Jan 2015 21:12:23 +0000 (16:12 -0500)]
Test for Single Logout Service

https://fedorahosted.org/ipsilon/ticket/24

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoImplement Single Logout Service for SP-initiated logout
Rob Crittenden [Fri, 30 Jan 2015 20:07:12 +0000 (15:07 -0500)]
Implement Single Logout Service for SP-initiated logout

https://fedorahosted.org/ipsilon/ticket/24

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoAdd SAML-specific session data for tracking login/logout sessions
Rob Crittenden [Fri, 30 Jan 2015 15:03:03 +0000 (10:03 -0500)]
Add SAML-specific session data for tracking login/logout sessions

https://fedorahosted.org/ipsilon/ticket/24

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoRegister SingleLogoutService SAML2 metadata
Rob Crittenden [Thu, 29 Jan 2015 22:21:35 +0000 (17:21 -0500)]
Register SingleLogoutService SAML2 metadata

https://fedorahosted.org/ipsilon/ticket/24

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoAdd helper to store provider specific data
Rob Crittenden [Thu, 29 Jan 2015 15:24:02 +0000 (10:24 -0500)]
Add helper to store provider specific data

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoIgnore .rnd (openssl stuff)
Patrick Uiterwijk [Fri, 6 Feb 2015 14:05:04 +0000 (15:05 +0100)]
Ignore .rnd (openssl stuff)

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoMake test results more clear
Patrick Uiterwijk [Fri, 6 Feb 2015 13:54:19 +0000 (14:54 +0100)]
Make test results more clear

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoFall back to default templates dir if it does not exist in template_dir
Patrick Uiterwijk [Tue, 3 Feb 2015 15:37:47 +0000 (16:37 +0100)]
Fall back to default templates dir if it does not exist in template_dir

This would enable people to only override the templates they care about
overriding, like master.html, while still retaining the rest.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
4 years agoRemove print lines from openid
Patrick Uiterwijk [Tue, 3 Feb 2015 13:23:05 +0000 (14:23 +0100)]
Remove print lines from openid

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd the OpenID xrds template to setup.py
Patrick Uiterwijk [Tue, 3 Feb 2015 13:21:06 +0000 (14:21 +0100)]
Add the OpenID xrds template to setup.py

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
4 years agoAdd expiration to Idp metadata
Simo Sorce [Mon, 19 Jan 2015 22:47:56 +0000 (17:47 -0500)]
Add expiration to Idp metadata

Also regenerate it frequently, so that any change in configuration can be
automatically reflected in the metadata downloaded my clients over time.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd Metadata Generator helper class
Simo Sorce [Mon, 19 Jan 2015 22:02:41 +0000 (17:02 -0500)]
Add Metadata Generator helper class

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd support for expiration in Metadata
Simo Sorce [Mon, 19 Jan 2015 20:15:03 +0000 (15:15 -0500)]
Add support for expiration in Metadata

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
4 years agoAdd function to import a cert from a file
Simo Sorce [Mon, 19 Jan 2015 20:14:43 +0000 (15:14 -0500)]
Add function to import a cert from a file

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoUpdate spec file after Fedora review
Patrick Uiterwijk [Wed, 28 Jan 2015 19:37:24 +0000 (20:37 +0100)]
Update spec file after Fedora review

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoFix request multipart logging when only 1 part is present
John Dennis [Tue, 27 Jan 2015 16:53:31 +0000 (11:53 -0500)]
Fix request multipart logging when only 1 part is present

Test to see if the request parameter value is a cherrypy Part
class. This was already being done for the case where the value was a
list, but it was omitted for single values. Logic was combined into new
local function print_param().

Changed the test for the class back to using

    if isinstance(item, cherrypy._cpreqbody.Part):

instead of:

    if getattr(item, "part_class", None):

because using isinstance() clearly indicates what is being done. The
use of getattr() was introduced to prevent a pylint warning concering
use of protected values. The getattr() hack is confusing and proably
not robust if the class implementation changes. The patch now disables
this warning. I cannot explain why cherrypy marks these modules as
protected when clearly one has to utilize them and they are documented
in the cherrypy API doc. Disabling the warning seems the cleanest and
most robust approach.

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoFix int/pep8 errors in latest patches
Simo Sorce [Mon, 26 Jan 2015 22:10:20 +0000 (17:10 -0500)]
Fix int/pep8 errors in latest patches

Mea culpa for not checking before pushing

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: John Dennis <jdennis@redhat.com>
5 years agoAdd source code context information to debug logs
John Dennis [Mon, 12 Jan 2015 15:47:37 +0000 (10:47 -0500)]
Add source code context information to debug logs

The log.debug() function helpfully adds the name of the function
invoking it but in a complicated software package there are many
functions/methods which share the same name. Thus a debug message
like this:

DEBUG(__init__): xxx

does not give you much context, there are probably hundreds of
__init__ methods. It would help to qualify the method name which it's
class name, that gives a lot more context when reading the
log. Sometimes it's also helpful to know the file and line number.

This patch adds the class name to the function and included the
filename and line number as well. The file path is trimmed to the last
3 components, sufficient to give context but not too verbose. Now the
debug message might look like this instead:

DEBUG(ipsilon/providers/common.py:129 LoadProviders.__init__()): xxx

Also included is a config option 'stacktrace_on_error' which will
include a stacktrace when the log.error function is called. It can be
very useful to see a stacktrace when logging an error, it defaults to
off.

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoAdd request/response logging via cherrypy tool hooks
John Dennis [Tue, 20 Jan 2015 22:13:34 +0000 (17:13 -0500)]
Add request/response logging via cherrypy tool hooks

The ability to easily review the HTTP Ipsilon request and response is
boon for development and issue debugging. Normally these HTTP
conversations occur on SSL/TLS encrypted connections making it
difficult to use other tools to view the traffic. Client side tools
have known pitfalls (e.g. Firebug) and not all conversations are
browser initiated (e.g. SAML ECP). Logging performed by the server
hosting Ipsilon makes logging at the server level server specific
(e.g. Apache's dumpio requires post-processing the log file to extract
and reassamble the HTTP conversation). The best place to log requests
and responses is within Ipsilon using the cherrypy framework
Ipsilon is embedded in. Cherrypy provides user defined hooks that can
be invoked at specific places in the request pipeline. We establish a
hook at the last stage just before the response is written to the
client, it logs the incoming request and outgoing response.

Resolves: https://fedorahosted.org/ipsilon/ticket/44

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoFix a copy-paste error
Patrick Uiterwijk [Thu, 22 Jan 2015 14:03:55 +0000 (15:03 +0100)]
Fix a copy-paste error

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoFix some copy-paste errors in help output
Patrick Uiterwijk [Mon, 12 Jan 2015 13:24:37 +0000 (14:24 +0100)]
Fix some copy-paste errors in help output

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
https://fedorahosted.org/ipsilon/ticket/33

5 years agoUse referer too as source of transaction IDs
Simo Sorce [Mon, 12 Jan 2015 20:02:18 +0000 (15:02 -0500)]
Use referer too as source of transaction IDs

This allows us to use apache module that use things like ErrorDocument
directives to do internal redirects and still retain the original
transaction intact.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoFix file permissions and remove shebang's
Patrick Uiterwijk [Tue, 16 Dec 2014 15:40:03 +0000 (16:40 +0100)]
Fix file permissions and remove shebang's

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoBump RPM spec version to 0.3.0
Simo Sorce [Fri, 12 Dec 2014 17:26:18 +0000 (12:26 -0500)]
Bump RPM spec version to 0.3.0

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoUpdate version and maintainer info v0.3.0
Patrick Uiterwijk [Thu, 11 Dec 2014 21:33:44 +0000 (22:33 +0100)]
Update version and maintainer info

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoMake quickrun create a symlink to ui
Patrick Uiterwijk [Sat, 6 Dec 2014 17:40:38 +0000 (12:40 -0500)]
Make quickrun create a symlink to ui

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoChange working directory for quickrun
Simo Sorce [Fri, 5 Dec 2014 20:49:14 +0000 (15:49 -0500)]
Change working directory for quickrun

Set the current working directory to the provided one, so if realtive
paths are used by plugins they within the quickrun working area.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoMake pep8 happy again
Simo Sorce [Fri, 5 Dec 2014 20:54:02 +0000 (15:54 -0500)]
Make pep8 happy again

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoAdd OpenIDStore to store associations and nonces
Patrick Uiterwijk [Fri, 5 Dec 2014 17:28:21 +0000 (12:28 -0500)]
Add OpenIDStore to store associations and nonces

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoAdd defaults to List objects
Simo Sorce [Fri, 5 Dec 2014 20:37:28 +0000 (15:37 -0500)]
Add defaults to List objects

Otherwise we get backtraces when checking for list members and no configuration
have been stored in the database yet.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoAllow to pass drectly a URL to the Store class
Simo Sorce [Fri, 5 Dec 2014 19:28:22 +0000 (14:28 -0500)]
Allow to pass drectly a URL to the Store class

This is useful for plugins that want to use their own database configuration
but still want to reuse he Store class for simplicity.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoAdd support for Persona Identity Provider
Patrick Uiterwijk [Thu, 13 Nov 2014 09:18:05 +0000 (10:18 +0100)]
Add support for Persona Identity Provider

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoMake sure the XRDS is returned as string
Patrick Uiterwijk [Thu, 13 Nov 2014 13:45:13 +0000 (14:45 +0100)]
Make sure the XRDS is returned as string

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoDelay exposing OpenID
Patrick Uiterwijk [Thu, 13 Nov 2014 13:39:30 +0000 (14:39 +0100)]
Delay exposing OpenID

This makes sure we have loaded the configuration
before using it

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoFix LDAP plugin configuration checks
Patrick Uiterwijk [Thu, 13 Nov 2014 12:59:41 +0000 (13:59 +0100)]
Fix LDAP plugin configuration checks

Interpret config value correctly (it is a boolean now)
Pass required argument

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
5 years agoImprove spec file
Simo Sorce [Tue, 11 Nov 2014 23:34:58 +0000 (18:34 -0500)]
Improve spec file

Add missing dependencies.
Split into smaller packages so that admins can choose what to install and
what dependencies to drag in.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoBump version to 0.2.6
Simo Sorce [Wed, 12 Nov 2014 03:56:38 +0000 (22:56 -0500)]
Bump version to 0.2.6

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoFix svg parsing in mod_wsgi
Simo Sorce [Wed, 12 Nov 2014 20:20:14 +0000 (15:20 -0500)]
Fix svg parsing in mod_wsgi

Whe ipsilon is used behind apache we need to cast the template to a string.
Otherwise mod_wsgi returns a TypeError complaining about the fact data is
a unicode string instead of a byte string.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoAdd admin svg to setup.py
Simo Sorce [Wed, 12 Nov 2014 03:55:01 +0000 (22:55 -0500)]
Add admin svg to setup.py

Otherwise it will be missing from oficial distribution files.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoAdd missing openid paths to setup.py
Simo Sorce [Tue, 11 Nov 2014 23:37:38 +0000 (18:37 -0500)]
Add missing openid paths to setup.py

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
5 years agoAdd visual cues to configuration panels
Simo Sorce [Thu, 6 Nov 2014 19:01:04 +0000 (14:01 -0500)]
Add visual cues to configuration panels

Make it easier to recognize which plugins are enabled and which are
disabled. Also make it easier to recognize when a plugin has just changed
state, by flashing its row (help also realize it may have moved up/down)

Based on concept work by Petr Vobornik

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>