Validate SP names for admin pages and REST

[cascardo/ipsilon.git] / ipsilon / providers / saml2 / provider.py

diff --git a/ipsilon/providers/saml2/provider.py b/ipsilon/providers/saml2/provider.py
old mode 100755 (executable)
new mode 100644 (file)
index 8b7f04e..d1c7b42
--- a/ipsilon/providers/saml2/provider.py
+++ b/ipsilon/providers/saml2/provider.py
@@ -1,5 +1,3 @@
-#!/usr/bin/python
-#
 # Copyright (C) 2014  Simo Sorce <simo@redhat.com>
 #
 # see file 'COPYING' for use and warranty information
@@ -19,8 +17,12 @@
 
 from ipsilon.providers.common import ProviderException
 from ipsilon.tools.saml2metadata import SAML2_NAMEID_MAP
-import cherrypy
+from ipsilon.util.log import Log
 import lasso
+import re
+
+
+VALID_IN_NAME = r'[^\ a-zA-Z0-9]'
 
 
 class InvalidProviderId(ProviderException):
@@ -42,7 +44,7 @@ class NameIdNotAllowed(Exception):
         return repr(self.message)
 
 
-class ServiceProvider(object):
+class ServiceProvider(Log):
 
     def __init__(self, config, provider_id):
         self.cfg = config
@@ -118,8 +120,6 @@ class ServiceProvider(object):
         self._debug('Requested NameId [%s]' % (nip.format,))
         if nip.format is None:
             return SAML2_NAMEID_MAP[self.default_nameid]
-        elif nip.format == lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED:
-            return SAML2_NAMEID_MAP[self.default_nameid]
         else:
             allowed = self.allowed_nameids
             self._debug('Allowed NameIds %s' % (repr(allowed)))
@@ -135,15 +135,16 @@ class ServiceProvider(object):
         idval = data.keys()[0]
         self.cfg.del_datum(idval)
 
-    def _debug(self, fact):
-        if cherrypy.config.get('debug', False):
-            cherrypy.log(fact)
-
     def normalize_username(self, username):
         if 'strip domain' in self._properties:
             return username.split('@', 1)[0]
         return username
 
+    def is_valid_name(self, value):
+        if re.search(VALID_IN_NAME, value):
+            return False
+        return True
+
     def is_valid_nameid(self, value):
         if value in SAML2_NAMEID_MAP:
             return True
@@ -161,6 +162,10 @@ class ServiceProviderCreator(object):
     def create_from_buffer(self, name, metabuf):
         '''Test and add data'''
 
+        if re.search(VALID_IN_NAME, name):
+            raise InvalidProviderId("Name must contain only "
+                                    "numbers and letters")
+
         test = lasso.Server()
         test.addProviderFromBuffer(lasso.PROVIDER_ROLE_SP, metabuf)
         newsps = test.get_providers()
@@ -185,7 +190,7 @@ class ServiceProviderCreator(object):
         return ServiceProvider(self.cfg, spid)
 
 
-class IdentityProvider(object):
+class IdentityProvider(Log):
     def __init__(self, config):
         self.server = lasso.Server(config.idp_metadata_file,
                                    config.idp_key_file,
@@ -207,6 +212,8 @@ class IdentityProvider(object):
     def get_providers(self):
         return self.server.get_providers()
 
-    def _debug(self, fact):
-        if cherrypy.config.get('debug', False):
-            cherrypy.log(fact)
+    def get_logout_handler(self, dump=None):
+        if dump:
+            return lasso.Logout.newFromDump(self.server, dump)
+        else:
+            return lasso.Logout(self.server)