#!/usr/bin/python
#
-# Copyright (C) 2014 Simo Sorce <simo@redhat.com>
-#
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
from ipsilon.tools.saml2metadata import Metadata
from ipsilon.tools.saml2metadata import SAML2_NAMEID_MAP
from ipsilon.tools.saml2metadata import SAML2_SERVICE_MAP
from ipsilon.tools.certs import Certificate
-from string import Template
+from ipsilon.tools import files
+from urllib import urlencode
import argparse
+import ConfigParser
+import getpass
+import json
import logging
import os
import pwd
import shutil
import socket
import sys
+import base64
HTTPDCONFD = '/etc/httpd/conf.d'
if args['saml_idp_metadata'] is None:
#TODO: detect via SRV records ?
- raise ValueError('An IDP metadata file/url is required.')
+ if args['saml_idp_url']:
+ args['saml_idp_metadata'] = ('%s/saml2/metadata' %
+ args['saml_idp_url'].rstrip('/'))
+ else:
+ raise ValueError('An IDP URL or metadata file/URL is required.')
idpmeta = None
raise
path = None
- if args['saml_httpd']:
+ if not args['saml_no_httpd']:
path = os.path.join(SAML2_HTTPDIR, args['hostname'])
+ if os.path.exists(path):
+ raise Exception('Service Provider is already configured')
os.makedirs(path, 0750)
else:
path = os.getcwd()
- url = 'https://' + args['hostname']
+ proto = 'https'
+ if not args['saml_secure_setup']:
+ proto = 'http'
+
+ port_str = ''
+ if args['port']:
+ port_str = ':%s' % args['port']
+
+ url = '%s://%s%s' % (proto, args['hostname'], port_str)
url_sp = url + args['saml_sp']
url_logout = url + args['saml_sp_logout']
url_post = url + args['saml_sp_post']
+ url_paos = url + args['saml_sp_paos']
# Generate metadata
m = Metadata('sp')
m.set_entity_id(url_sp)
m.add_certs(c)
m.add_service(SAML2_SERVICE_MAP['logout-redirect'], url_logout)
- m.add_service(SAML2_SERVICE_MAP['response-post'], url_post, index="0")
+ if not args['no_saml_soap_logout']:
+ m.add_service(SAML2_SERVICE_MAP['slo-soap'], url_logout)
+ m.add_service(SAML2_SERVICE_MAP['response-post'], url_post,
+ index="0", isDefault="true")
+ m.add_service(SAML2_SERVICE_MAP['response-paos'], url_paos,
+ index="1")
+ m.add_allowed_name_format(SAML2_NAMEID_MAP[args['saml_nameid']])
sp_metafile = os.path.join(path, 'metadata.xml')
m.output(sp_metafile)
- if args['saml_httpd']:
+ # Register with the IDP if the IDP URL was provided
+ if args['saml_idp_url']:
+ if args['admin_password']:
+ if args['admin_password'] == '-':
+ admin_password = sys.stdin.readline().rstrip('\n')
+ else:
+ try:
+ with open(args['admin_password']) as f:
+ admin_password = f.read().rstrip('\n')
+ except Exception as e: # pylint: disable=broad-except
+ logger.error("Failed to read password file!\n" +
+ "Error: [%s]" % e)
+ raise
+ elif ('IPSILON_ADMIN_PASSWORD' in os.environ) and \
+ (os.environ['IPSILON_ADMIN_PASSWORD']):
+ admin_password = os.environ['IPSILON_ADMIN_PASSWORD']
+ else:
+ admin_password = getpass.getpass('%s password: ' %
+ args['admin_user'])
+
+ # Read our metadata
+ sp_metadata = ''
+ try:
+ with open(sp_metafile) as f:
+ for line in f:
+ sp_metadata += line.strip()
+ except Exception as e: # pylint: disable=broad-except
+ logger.error("Failed to read SP Metadata file!\n" +
+ "Error: [%s]" % e)
+ raise
+
+ sp_image = None
+ if args['saml_sp_image']:
+ try:
+ # FIXME: limit size
+ with open(args['saml_sp_image']) as f:
+ sp_image = f.read()
+ sp_image = base64.b64encode(sp_image)
+ except Exception as e: # pylint: disable=broad-except
+ logger.error("Failed to read SP Image file!\n" +
+ "Error: [%s]" % e)
+
+ # Register the SP
+ try:
+ saml2_register_sp(args['saml_idp_url'], args['admin_user'],
+ admin_password, args['saml_sp_name'],
+ sp_metadata, args['saml_sp_description'],
+ args['saml_sp_visible'], sp_image)
+ except Exception as e: # pylint: disable=broad-except
+ logger.error("Failed to register SP with IDP!\n" +
+ "Error: [%s]" % e)
+ raise
+
+ if not args['saml_no_httpd']:
idp_metafile = os.path.join(path, 'idp-metadata.xml')
with open(idp_metafile, 'w+') as f:
f.write(idpmeta)
saml_protect = 'info'
saml_auth = '<Location %s>\n' \
' MellonEnable "auth"\n' \
+ ' Header append Cache-Control "no-cache"\n' \
'</Location>\n' % args['saml_auth']
psp = '# '
# default location, enable the default page
psp = ''
- with open(SAML2_TEMPLATE) as f:
- template = f.read()
- t = Template(template)
- hunk = t.substitute(saml_base=args['saml_base'],
- saml_protect=saml_protect,
- saml_sp_key=c.key,
- saml_sp_cert=c.cert,
- saml_sp_meta=sp_metafile,
- saml_idp_meta=idp_metafile,
- saml_sp=args['saml_sp'],
- saml_auth=saml_auth, sp=psp)
-
- with open(SAML2_CONFFILE, 'w+') as f:
- f.write(hunk)
+ saml_secure = 'Off'
+ ssl_require = '#'
+ ssl_rewrite = '#'
+ if args['port']:
+ ssl_port = args['port']
+ else:
+ ssl_port = '443'
+
+ if args['saml_secure_setup']:
+ saml_secure = 'On'
+ ssl_require = ''
+ ssl_rewrite = ''
+
+ samlopts = {'saml_base': args['saml_base'],
+ 'saml_protect': saml_protect,
+ 'saml_sp_key': c.key,
+ 'saml_sp_cert': c.cert,
+ 'saml_sp_meta': sp_metafile,
+ 'saml_idp_meta': idp_metafile,
+ 'saml_sp': args['saml_sp'],
+ 'saml_secure_on': saml_secure,
+ 'saml_auth': saml_auth,
+ 'ssl_require': ssl_require,
+ 'ssl_rewrite': ssl_rewrite,
+ 'ssl_port': ssl_port,
+ 'sp_hostname': args['hostname'],
+ 'sp_port': port_str,
+ 'sp': psp}
+ files.write_from_template(SAML2_CONFFILE, SAML2_TEMPLATE, samlopts)
files.fix_user_dirs(SAML2_HTTPDIR, args['httpd_user'])
' configure your Service Provider')
+def saml2_register_sp(url, user, password, sp_name, sp_metadata,
+ sp_description, sp_visible, sp_image):
+ s = requests.Session()
+
+ # Authenticate to the IdP
+ form_auth_url = '%s/login/form' % url.rstrip('/')
+ test_auth_url = '%s/login/testauth' % url.rstrip('/')
+ auth_data = {'login_name': user,
+ 'login_password': password}
+
+ r = s.post(form_auth_url, data=auth_data)
+ if r.status_code == 404:
+ r = s.post(test_auth_url, data=auth_data)
+
+ if r.status_code != 200:
+ raise Exception('Unable to authenticate to IdP (%d)' % r.status_code)
+
+ # Add the SP
+ sp_url = '%s/rest/providers/saml2/SPS/%s' % (url.rstrip('/'), sp_name)
+ sp_headers = {'Content-type': 'application/x-www-form-urlencoded',
+ 'Referer': sp_url}
+ sp_data = {'metadata': sp_metadata}
+ if sp_description:
+ sp_data['description'] = sp_description
+ if sp_visible:
+ sp_data['visible'] = sp_visible
+ if sp_image:
+ if sp_image:
+ sp_data['imagefile'] = sp_image
+ sp_data = urlencode(sp_data)
+
+ r = s.post(sp_url, headers=sp_headers, data=sp_data)
+ if r.status_code != 201:
+ message = json.loads(r.text)['message']
+ raise Exception('%s' % message)
+
+
def install():
if args['saml']:
saml2()
def saml2_uninstall():
- try:
- shutil.rmtree(os.path.join(SAML2_HTTPDIR, args['hostname']))
- except Exception, e: # pylint: disable=broad-except
- log_exception(e)
- try:
- os.remove(SAML2_CONFFILE)
- except Exception, e: # pylint: disable=broad-except
- log_exception(e)
+ path = os.path.join(SAML2_HTTPDIR, args['hostname'])
+ if os.path.exists(path):
+ try:
+ shutil.rmtree(path)
+ except Exception, e: # pylint: disable=broad-except
+ log_exception(e)
+
+ if os.path.exists(SAML2_CONFFILE):
+ try:
+ os.remove(SAML2_CONFFILE)
+ except Exception, e: # pylint: disable=broad-except
+ log_exception(e)
def uninstall():
logger.error(e)
+def parse_config_profile(args):
+ config = ConfigParser.ConfigParser()
+ files = config.read(args['config_profile'])
+ if len(files) == 0:
+ raise ConfigurationError('Config Profile file %s not found!' %
+ args['config_profile'])
+
+ if 'globals' in config.sections():
+ G = config.options('globals')
+ for g in G:
+ val = config.get('globals', g)
+ if val == 'False':
+ val = False
+ elif val == 'True':
+ val = True
+ if g in globals():
+ globals()[g] = val
+ else:
+ for k in globals():
+ if k.lower() == g.lower():
+ globals()[k] = val
+ break
+
+ if 'arguments' in config.sections():
+ A = config.options('arguments')
+ for a in A:
+ val = config.get('arguments', a)
+ if val == 'False':
+ val = False
+ elif val == 'True':
+ val = True
+ args[a] = val
+
+ return args
+
+
def parse_args():
global args
action='version', version='%(prog)s 0.1')
parser.add_argument('--hostname', default=socket.getfqdn(),
help="Machine's fully qualified host name")
+ parser.add_argument('--port', default=None,
+ help="Port number that SP listens on")
parser.add_argument('--admin-user', default='admin',
help="Account allowed to create a SP")
+ parser.add_argument('--admin-password', default=None,
+ help="File containing the password for the account " +
+ "used to create a SP (- to read from stdin)")
parser.add_argument('--httpd-user', default='apache',
help="Web server account used to read certs")
- parser.add_argument('--saml', action='store_true', default=False,
+ parser.add_argument('--saml', action='store_true', default=True,
help="Whether to install a saml2 SP")
+ parser.add_argument('--saml-idp-url', default=None,
+ help="A URL of the IDP to register the SP with")
parser.add_argument('--saml-idp-metadata', default=None,
help="A URL pointing at the IDP Metadata (FILE or HTTP)")
- parser.add_argument('--saml-httpd', action='store_true', default=False,
- help="Automatically configure httpd")
+ parser.add_argument('--saml-no-httpd', action='store_true', default=False,
+ help="Do not configure httpd")
parser.add_argument('--saml-base', default='/',
help="Where saml2 authdata is available")
parser.add_argument('--saml-auth', default=SAML2_PROTECTED,
help="Where saml2 authentication is enforced")
parser.add_argument('--saml-sp', default='/saml2',
help="Where saml communication happens")
- parser.add_argument('--saml-sp-logout', default='/saml2/logout',
+ parser.add_argument('--saml-sp-logout', default=None,
help="Single Logout URL")
- parser.add_argument('--saml-sp-post', default='/saml2/postResponse',
+ parser.add_argument('--saml-sp-post', default=None,
help="Post response URL")
+ parser.add_argument('--saml-sp-paos', default=None,
+ help="PAOS response URL, used for ECP")
+ parser.add_argument('--no-saml-soap-logout', action='store_true',
+ default=False,
+ help="Disable Single Logout over SOAP")
+ parser.add_argument('--saml-secure-setup', action='store_true',
+ default=True, help="Turn on all security checks")
+ parser.add_argument('--saml-nameid', default='unspecified',
+ choices=SAML2_NAMEID_MAP.keys(),
+ help="SAML NameID format to use")
+ parser.add_argument('--saml-sp-name', default=None,
+ help="The SP name to register with the IdP")
+ parser.add_argument('--saml-sp-description', default=None,
+ help="The description of the SP to display on the " +
+ "portal")
+ parser.add_argument('--saml-sp-visible', action='store_false',
+ default=True,
+ help="The SP is visible in the portal")
+ parser.add_argument('--saml-sp-image', default=None,
+ help="Image to display for this SP on the portal")
parser.add_argument('--debug', action='store_true', default=False,
help="Turn on script debugging")
+ parser.add_argument('--config-profile', default=None,
+ help=argparse.SUPPRESS)
parser.add_argument('--uninstall', action='store_true',
help="Uninstall the server and all data")
args = vars(parser.parse_args())
+ if args['config_profile']:
+ args = parse_config_profile(args)
+
if len(args['hostname'].split('.')) < 2:
- raise ValueError('Hostname: %s is not a FQDN.')
+ raise ValueError('Hostname: %s is not a FQDN.' % args['hostname'])
+
+ if args['port'] and not args['port'].isdigit():
+ raise ValueError('Port number: %s is not an integer.' % args['port'])
+
+ # Validate that all path options begin with '/'
+ path_args = ['saml_base', 'saml_auth', 'saml_sp', 'saml_sp_logout',
+ 'saml_sp_post', 'saml_sp_paos']
+ for path_arg in path_args:
+ if args[path_arg] is not None and not args[path_arg].startswith('/'):
+ raise ValueError('--%s must begin with a / character.' %
+ path_arg.replace('_', '-'))
+
+ # The saml_sp setting must be a subpath of saml_base since it is
+ # used as the MellonEndpointPath.
+ if not args['saml_sp'].startswith(args['saml_base']):
+ raise ValueError('--saml-sp must be a subpath of --saml-base.')
+
+ # The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
+ # be subpaths of saml_sp (the mellon endpoint).
+ path_args = {'saml_sp_logout': 'logout',
+ 'saml_sp_post': 'postResponse',
+ 'saml_sp_paos': 'paosResponse'}
+ for path_arg, default_path in path_args.items():
+ if args[path_arg] is None:
+ args[path_arg] = '%s/%s' % (args['saml_sp'].rstrip('/'),
+ default_path)
+
+ elif not args[path_arg].startswith(args['saml_sp']):
+ raise ValueError('--%s must be a subpath of --saml-sp' %
+ path_arg.replace('_', '-'))
+
+ # If saml_idp_url if being used, we require saml_sp_name to
+ # use when registering the SP.
+ if args['saml_idp_url'] and not args['saml_sp_name']:
+ raise ValueError('--saml-sp-name must be specified when using' +
+ '--saml-idp-url')
# At least one on this list needs to be specified or we do nothing
sp_list = ['saml']
if 'uninstall' in args and args['uninstall'] is True:
uninstall()
-
- install()
+ else:
+ install()
except Exception, e: # pylint: disable=broad-except
log_exception(e)
if 'uninstall' in args and args['uninstall'] is True:
- print 'Uninstallation aborted.'
+ logging.info('Uninstallation aborted.')
else:
- print 'Installation aborted.'
+ logging.info('Installation aborted.')
out = 1
finally:
if out == 0:
if 'uninstall' in args and args['uninstall'] is True:
- print 'Uninstallation complete.'
+ logging.info('Uninstallation complete.')
else:
- print 'Installation complete.'
+ logging.info('Installation complete.')
sys.exit(out)