#!/usr/bin/python
#
-# Copyright (C) 2014 Simo Sorce <simo@redhat.com>
-#
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
from ipsilon.tools.saml2metadata import Metadata
from ipsilon.tools.saml2metadata import SAML2_NAMEID_MAP
url_sp = url + args['saml_sp']
url_logout = url + args['saml_sp_logout']
url_post = url + args['saml_sp_post']
+ url_paos = url + args['saml_sp_paos']
# Generate metadata
m = Metadata('sp')
m.set_entity_id(url_sp)
m.add_certs(c)
m.add_service(SAML2_SERVICE_MAP['logout-redirect'], url_logout)
- m.add_service(SAML2_SERVICE_MAP['response-post'], url_post, index="0")
+ if not args['no_saml_soap_logout']:
+ m.add_service(SAML2_SERVICE_MAP['slo-soap'], url_logout)
+ m.add_service(SAML2_SERVICE_MAP['response-post'], url_post,
+ index="0", isDefault="true")
+ m.add_service(SAML2_SERVICE_MAP['response-paos'], url_paos,
+ index="1")
m.add_allowed_name_format(SAML2_NAMEID_MAP[args['saml_nameid']])
sp_metafile = os.path.join(path, 'metadata.xml')
m.output(sp_metafile)
logger.error("Failed to read password file!\n" +
"Error: [%s]" % e)
raise
+ elif ('IPSILON_ADMIN_PASSWORD' in os.environ) and \
+ (os.environ['IPSILON_ADMIN_PASSWORD']):
+ admin_password = os.environ['IPSILON_ADMIN_PASSWORD']
else:
admin_password = getpass.getpass('%s password: ' %
args['admin_user'])
if g in globals():
globals()[g] = val
else:
- for k in globals().keys():
+ for k in globals():
if k.lower() == g.lower():
globals()[k] = val
break
help="Where saml2 authentication is enforced")
parser.add_argument('--saml-sp', default='/saml2',
help="Where saml communication happens")
- parser.add_argument('--saml-sp-logout', default='/saml2/logout',
+ parser.add_argument('--saml-sp-logout', default=None,
help="Single Logout URL")
- parser.add_argument('--saml-sp-post', default='/saml2/postResponse',
+ parser.add_argument('--saml-sp-post', default=None,
help="Post response URL")
+ parser.add_argument('--saml-sp-paos', default=None,
+ help="PAOS response URL, used for ECP")
+ parser.add_argument('--no-saml-soap-logout', action='store_true',
+ default=False,
+ help="Disable Single Logout over SOAP")
parser.add_argument('--saml-secure-setup', action='store_true',
default=True, help="Turn on all security checks")
parser.add_argument('--saml-nameid', default='unspecified',
parser.add_argument('--debug', action='store_true', default=False,
help="Turn on script debugging")
parser.add_argument('--config-profile', default=None,
- help="File containing install options")
+ help=argparse.SUPPRESS)
parser.add_argument('--uninstall', action='store_true',
help="Uninstall the server and all data")
# Validate that all path options begin with '/'
path_args = ['saml_base', 'saml_auth', 'saml_sp', 'saml_sp_logout',
- 'saml_sp_post']
+ 'saml_sp_post', 'saml_sp_paos']
for path_arg in path_args:
- if not args[path_arg].startswith('/'):
+ if args[path_arg] is not None and not args[path_arg].startswith('/'):
raise ValueError('--%s must begin with a / character.' %
path_arg.replace('_', '-'))
if not args['saml_sp'].startswith(args['saml_base']):
raise ValueError('--saml-sp must be a subpath of --saml-base.')
- # The saml_sp_logout and saml_sp_post settings must be subpaths
- # of saml_sp (the mellon endpoint).
- path_args = ['saml_sp_logout', 'saml_sp_post']
- for path_arg in path_args:
- if not args[path_arg].startswith(args['saml_sp']):
+ # The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
+ # be subpaths of saml_sp (the mellon endpoint).
+ path_args = {'saml_sp_logout': 'logout',
+ 'saml_sp_post': 'postResponse',
+ 'saml_sp_paos': 'paosResponse'}
+ for path_arg, default_path in path_args.items():
+ if args[path_arg] is None:
+ args[path_arg] = '%s/%s' % (args['saml_sp'].rstrip('/'),
+ default_path)
+
+ elif not args[path_arg].startswith(args['saml_sp']):
raise ValueError('--%s must be a subpath of --saml-sp' %
path_arg.replace('_', '-'))
except Exception, e: # pylint: disable=broad-except
log_exception(e)
if 'uninstall' in args and args['uninstall'] is True:
- print 'Uninstallation aborted.'
+ logging.info('Uninstallation aborted.')
else:
- print 'Installation aborted.'
+ logging.info('Installation aborted.')
out = 1
finally:
if out == 0:
if 'uninstall' in args and args['uninstall'] is True:
- print 'Uninstallation complete.'
+ logging.info('Uninstallation complete.')
else:
- print 'Installation complete.'
+ logging.info('Installation complete.')
sys.exit(out)