Simo Sorce [Fri, 2 May 2014 01:00:14 +0000 (21:00 -0400)]
Always use saml by default
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 1 May 2014 17:16:14 +0000 (13:16 -0400)]
Make SELinux happy
Add proper context to shared state directories so that httpd can write there.
Relax SElinux boolans to allow use of pam modules
This allows running Ipsilon in fully enforcing mode when pam auth
using the python-pam modules is used.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 1 May 2014 19:31:25 +0000 (15:31 -0400)]
Avoid failing install if sessions directory exists
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 1 May 2014 20:37:12 +0000 (16:37 -0400)]
Eliminte stale locks
If the server crashes stale lock files may e left behind.
This will cause the application to deadlock for the user that has
the misfortune of having a stale lock.
Forcibly remove all locks on startup.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 2 May 2014 00:52:02 +0000 (20:52 -0400)]
Fix typo in ipsilon-client-install
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 28 Apr 2014 13:27:30 +0000 (09:27 -0400)]
Bump up spec file vesion too
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 25 Apr 2014 20:46:00 +0000 (16:46 -0400)]
Bump version up to 0.2.1
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 21 Apr 2014 03:45:18 +0000 (23:45 -0400)]
Do not hardcode sessions directory in spec file
This directory is now generated dynamicaly based on the instance
name at ipsilon-server-install time.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 04:43:37 +0000 (00:43 -0400)]
Make it easy to install mutiple server instances
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 04:16:12 +0000 (00:16 -0400)]
Move templatized file creation to tools
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 03:59:35 +0000 (23:59 -0400)]
Move fixing files functionality to tools
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 21 Apr 2014 02:00:08 +0000 (22:00 -0400)]
Convert all forms to use util.Page form support
This way all forms will get Referer checking automaticaly
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 21 Apr 2014 01:41:24 +0000 (21:41 -0400)]
Add New form helper to Page object
This removes the need to define a root funciton only to redirect to
a GET/POST one.
Also adds basic CSRF protection if the page is declared a form.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 04:51:26 +0000 (00:51 -0400)]
Update contrib spec file for version 0.2
Drop changelog, it's unnecessary, commit logs are available in git
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 05:28:34 +0000 (01:28 -0400)]
Fix warning
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 05:27:09 +0000 (01:27 -0400)]
Revert incorrect change to template file
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 18 Apr 2014 04:47:52 +0000 (00:47 -0400)]
Add missing install file
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 16 Apr 2014 22:12:52 +0000 (18:12 -0400)]
Bump up to version 0.2
now that we have a basic client and server installers we have reached
a milestone. Bump up the version.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 14 Apr 2014 22:38:45 +0000 (18:38 -0400)]
Fix NameId exception
Report what invalid name was used and fix exception on raising the exception on
line 129
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 14 Apr 2014 20:27:52 +0000 (16:27 -0400)]
Add nameid values validation
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 14 Apr 2014 20:18:06 +0000 (16:18 -0400)]
Refactor argument validation for SP forms
Use helper functions to make the code more readbale and exceptions to reduce
error hndling duplication.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 11 Apr 2014 22:20:32 +0000 (18:20 -0400)]
Validate Service Provider names
We use the name to construct the admin page path, avoid odd characters
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 10 Apr 2014 20:22:53 +0000 (16:22 -0400)]
Install client tools in a separate rpm package
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sat, 5 Apr 2014 17:23:02 +0000 (13:23 -0400)]
Add basic installation script with saml support
Generates (self signed) certificates and a metdata.xml file.
Optionally configures an Apache Httpd server.
If the admin does not configure a specific application at install time
a default landing page is made available to be able to test that the SP
configuration works.
Uninstall removes all certificates and metadata file and is irreversible.
Simo Sorce [Fri, 11 Apr 2014 20:46:24 +0000 (16:46 -0400)]
Allow to set additional custom keys on services
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 9 Apr 2014 19:21:55 +0000 (15:21 -0400)]
Simplify metadata add_service signature
Add a map that takes care of the lower level lasso-related details
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 11 Apr 2014 19:42:54 +0000 (15:42 -0400)]
Store full path immediately
Allows to query .key and .cert to e used to find the files on the system
directly w/o having to know what path was previously used to initialize the
class.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 9 Apr 2014 19:16:02 +0000 (15:16 -0400)]
If no path is provided use current directory
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 9 Apr 2014 18:02:08 +0000 (14:02 -0400)]
Move accessory functions to a generic tools module
This will allow to easly share the module with install tools, without the
need to install server side modules in clients
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 7 Apr 2014 20:02:20 +0000 (16:02 -0400)]
Rename scripts and mark them as such
Mark actual top level scripts as such instead of disguising them as modules.
Also remove __init__.py from ipsilon/install as this is not a module just
the place where install scripts are kept, for now.
Note: Scripts are installed in the bin directory but the contrib spec file
moves them to sbin.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 11 Apr 2014 20:36:16 +0000 (16:36 -0400)]
Add debug logging of lasso library
If debug is enabled make lasso spit debug messages to stderr too, to aid
admins in resolving issues related to saml2 issues, like finding out why
a metadata file may be rejected.
This is very simple for now, a future enhancement may involve piping the
logs into a calss so they can be spat out as feedback to users.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 7 Apr 2014 22:41:12 +0000 (18:41 -0400)]
Return Idps metadata file on request
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 7 Apr 2014 22:28:41 +0000 (18:28 -0400)]
Fix generation of endopint URLs
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 7 Apr 2014 20:49:06 +0000 (16:49 -0400)]
Change provider plugins registration and enablement
When plugins are not enabled at startup the admin page is not available
as it is created only on enablement.
Split enablement and registration, so plugins can be registered even
when actually disabled.
Also rework the way enablement is tracked and make sure enablement status
is saved back to the database when it changes so it is kept on restarts.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 11 Apr 2014 21:24:46 +0000 (17:24 -0400)]
Add explicit error for Unknown Providers
This way the user will get a slightly more meaningful error message.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 4 Apr 2014 22:01:19 +0000 (18:01 -0400)]
Properly support rename operation
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 4 Apr 2014 17:19:51 +0000 (13:19 -0400)]
Admin functions to delete Service Providers
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 4 Apr 2014 17:26:02 +0000 (13:26 -0400)]
Add infrastructure to delete plugin data by id
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 4 Apr 2014 17:08:02 +0000 (13:08 -0400)]
Admin functions to add new Service Providers
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 4 Apr 2014 17:07:19 +0000 (13:07 -0400)]
Admin classes to change SP properties
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 3 Apr 2014 19:42:35 +0000 (15:42 -0400)]
Providers can save properties back to the database
This way a provider class can be used in admin pages as well and remain
consistent.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 3 Apr 2014 19:42:35 +0000 (15:42 -0400)]
Add Service and Identity Provider abstraction
This commit adds:
- helper functions to create new providers
- separate IdentityProvider class to represent the IDP.
Database changes:
The saml2 plugin database now contain the metadata file contents and does not
rely anymore on on-disk data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 4 Apr 2014 14:34:21 +0000 (10:34 -0400)]
Add racefree way to add a new unique data point
Our schema gathers together data related to a service by using an ID
column. This column cannot be unique or a primary key as the ID is
repeated for each key/value pair in the datum group.
Use a unique identifier to make sure we can let dqlite generate a new
ID internally and then find out wat it is as race-free as possible.
We keep this method in the data module so it can be changed later
without affecting application logic.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 3 Apr 2014 21:10:18 +0000 (17:10 -0400)]
No need to have a separate certificate file
Certificates are already contained in the metadata.xml file
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 27 Mar 2014 16:57:19 +0000 (12:57 -0400)]
Saml2 initial admin page
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 27 Mar 2014 16:56:28 +0000 (12:56 -0400)]
Add generic support for IdP plugin admin pages
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 26 Mar 2014 19:20:16 +0000 (15:20 -0400)]
Basic Identity providers plugin configuration
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 27 Mar 2014 15:56:34 +0000 (11:56 -0400)]
Refactor provider plugins enablement
This allow to enable/disable Identity Providers directly from the
configuration interface.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 26 Mar 2014 21:31:19 +0000 (17:31 -0400)]
Refactor login plugin enablement code
This allows us to finally implement the plugin enable/disable configuration
buttons and enable/disable plugins on the fly.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 26 Mar 2014 19:44:26 +0000 (15:44 -0400)]
Automatically build configuration page menu
Do not hardcode it, rather build it out of the pages tree.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 28 Mar 2014 18:07:11 +0000 (14:07 -0400)]
Add common way to add a subtree to a page
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 24 Mar 2014 20:59:41 +0000 (16:59 -0400)]
Move login plugin configuration to its own module
move also the template, in preparation for handling other configuration
data in the main page.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 24 Mar 2014 21:06:05 +0000 (17:06 -0400)]
Move admin_protect to a more generic module
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 24 Mar 2014 20:37:15 +0000 (16:37 -0400)]
Implement plugin ordering configuration
Allows to change the login plugins order from the admin configuration page.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 20 Mar 2014 21:54:35 +0000 (17:54 -0400)]
Add a default admin user at install time
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 20 Mar 2014 21:54:18 +0000 (17:54 -0400)]
Add way to save user preferences
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 20 Mar 2014 15:36:10 +0000 (11:36 -0400)]
Add install script and other spec file changes
Add install script
Change server name to drop .py suffix
Add necessary requires
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 20 Mar 2014 20:46:18 +0000 (16:46 -0400)]
Add PAM configuration code
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 20 Mar 2014 16:45:21 +0000 (12:45 -0400)]
Add Krb configuration code
Simo Sorce [Thu, 20 Mar 2014 17:21:55 +0000 (13:21 -0400)]
Add way to add data to the global login config
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Mar 2014 21:16:18 +0000 (17:16 -0400)]
Add saml2 configuration code
Creates the storage directory if not availble
Generates new IDP certificate
Generate metadata file
Fixups permissions
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 19 Mar 2014 22:41:56 +0000 (18:41 -0400)]
Add functions to wipe and save plugin config data
This way all is needed is to instantiate a proper PluginObject from
any provider and just call its functions
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Mar 2014 18:44:05 +0000 (14:44 -0400)]
Saml2 Metadata generator class
This class generates metadata files for IDP and SP services and is meant
to be used at install/configure time.
It uses the certs module to generate certificates.
With tests!
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Mar 2014 18:43:04 +0000 (14:43 -0400)]
Simple certificate generator class
For now just generates self-signed certificates.
In future this calss should connect to a CA, or other service like
certmnger's getcert to retrieve a certificate from a CA.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 19 Mar 2014 20:30:53 +0000 (16:30 -0400)]
Add user configuration option
This allow to specifify what system user should be used to configure
the ipsilon server to run as.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Mar 2014 21:18:53 +0000 (17:18 -0400)]
Add hostname configuration option
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Mar 2014 22:50:59 +0000 (18:50 -0400)]
Silence cherrypy logging to the screen
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 20 Mar 2014 16:16:52 +0000 (12:16 -0400)]
Install default configuration files
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Mar 2014 21:13:28 +0000 (17:13 -0400)]
Add logging and install/uninstall targets
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 14 Mar 2014 22:08:49 +0000 (18:08 -0400)]
Add server-install plugin configuration support
Automatically find plugins installed in the system and exposes their
installation and configuration functions through the installer.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 14 Mar 2014 20:55:29 +0000 (16:55 -0400)]
First install script commit
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 19 Mar 2014 21:08:51 +0000 (17:08 -0400)]
Fix minor syntax issues in saml2 provider
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 19 Mar 2014 21:05:04 +0000 (17:05 -0400)]
Remove unused import and fix syntax
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 7 Mar 2014 21:13:53 +0000 (16:13 -0500)]
Add sample spec file
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 13 Mar 2014 20:43:18 +0000 (16:43 -0400)]
Fix default and example paths
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 7 Mar 2014 21:21:56 +0000 (16:21 -0500)]
Fix install of data files.
Move doc and examples under appropriate directory.
Crate data directry for templates and ui static files.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 13 Mar 2014 20:05:46 +0000 (16:05 -0400)]
Better handling of configuration file
allow to pass it on the command line or to look for it in well known
locations.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 3 Mar 2014 00:03:38 +0000 (19:03 -0500)]
Improve exceptions for saml2 providers
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 2 Mar 2014 23:32:06 +0000 (18:32 -0500)]
Add ability to strip domain/realm per provider
This allows to return (hopefully) the same name whether the user
authenticated via ESSO or form based authentication.
Crude for now, may be augmented with some regex configuration in the future.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 2 Mar 2014 23:29:15 +0000 (18:29 -0500)]
Unsplit checking functions
Easier to deal with stuff if they are a single validation function.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 2 Mar 2014 23:09:27 +0000 (18:09 -0500)]
Add a way to return the email address of the user
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 28 Feb 2014 21:16:25 +0000 (16:16 -0500)]
Add way to return Kerberos nameid if available
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 2 Mar 2014 23:06:44 +0000 (18:06 -0500)]
Add way to save user data after login
The login manager that successfully authenticated the user can now
pass data to be stored in the user facility of the session.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 2 Mar 2014 22:59:14 +0000 (17:59 -0500)]
Create a user facility in the session
This way all identification data about the user can be managed in
a single place and be erased/replaced at login time.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Thu, 27 Feb 2014 02:50:33 +0000 (21:50 -0500)]
Check the NameID policy during authentication
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 26 Feb 2014 23:42:09 +0000 (18:42 -0500)]
Add Service Provider class
This class allows to represent a service provider and its associated policy
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 25 Feb 2014 02:43:12 +0000 (21:43 -0500)]
Add authentication exception support
This also add code to return an error code to the SP.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 23 Feb 2014 23:41:13 +0000 (18:41 -0500)]
Initial SAML2 provider
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 23 Feb 2014 23:35:59 +0000 (18:35 -0500)]
Add way to tell if the session is anonymous
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Fri, 24 Jan 2014 19:41:11 +0000 (14:41 -0500)]
Add provider plugins loader
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 24 Feb 2014 23:34:17 +0000 (18:34 -0500)]
Use cherrypy handlers to render error pages
Replaces custom code to render 401 Unauthorized page as well as
adds 400 and 500 handlers
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 23 Feb 2014 23:39:35 +0000 (18:39 -0500)]
Better session management at login
Save data bout the prformed authentication
Do not destroy the whole session at login, providers may need to store
data before the user is authenticate and retrieve it later if
authentication ws successful.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Sun, 23 Feb 2014 23:36:40 +0000 (18:36 -0500)]
Improve handing of session data
Add functions to store data in an organized way so that multiple plugins
can store data w/o stomping on each other.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 25 Feb 2014 00:58:10 +0000 (19:58 -0500)]
Add _debug facility to the Page class
Use this instead of th misleading "_log" name. These really are just
debugging statements not normal logging.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Feb 2014 20:08:12 +0000 (15:08 -0500)]
Move default template arguments to its own function
This way it is clearer what the defaults are, plus subclasses can
override the defaults if they so choose.
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Feb 2014 06:51:03 +0000 (01:51 -0500)]
Log available login managers
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 18 Feb 2014 20:17:35 +0000 (15:17 -0500)]
Fix master-admin template upper left corner href
Signed-off-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 22 Jan 2014 23:34:59 +0000 (18:34 -0500)]
Add initial design document
For now, very high level direction of the project and intended high level
architecture.
Signed-off-by: Simo Sorce <simo@redhat.com>
Petr Vobornik [Tue, 11 Feb 2014 16:36:37 +0000 (17:36 +0100)]
Apply patternfly to administration pages
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Petr Vobornik [Mon, 27 Jan 2014 17:10:20 +0000 (18:10 +0100)]
Initialize plugins in order defined in DB
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>