Patrick Uiterwijk [Mon, 11 May 2015 23:12:15 +0000 (01:12 +0200)]
Bump version for 1.0.0 release
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Wed, 6 May 2015 22:22:55 +0000 (18:22 -0400)]
Install man pages for client and server
This includes the man pages for the installers and for
ipsilon.conf.
https://fedorahosted.org/ipsilon/ticket/34
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Thu, 7 May 2015 20:34:27 +0000 (16:34 -0400)]
Add man page for ipsilon.conf.
https://fedorahosted.org/ipsilon/ticket/34
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Thu, 7 May 2015 18:55:20 +0000 (14:55 -0400)]
Add more text to ipsilon(7) man page
https://fedorahosted.org/ipsilon/ticket/34
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Wed, 6 May 2015 22:15:15 +0000 (18:15 -0400)]
ipsilon-server-install man page
https://fedorahosted.org/ipsilon/ticket/34
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Wed, 6 May 2015 18:54:19 +0000 (14:54 -0400)]
ipsilon-client-install man page
https://fedorahosted.org/ipsilon/ticket/34
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Mon, 11 May 2015 22:15:51 +0000 (18:15 -0400)]
Add logout to pgdb, fix name in tests
Add a logout to the postgres test to ensure that sessions are
updated properly on logout.
Fix the name in the tests, it was test1.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Mon, 11 May 2015 22:14:42 +0000 (18:14 -0400)]
Use plugin-specific configuration, better expiration
Use a SAML2 plugin specific option to specify the database uri
for sessions.
Use a much more robust method to find sessions that need
expiration (thanks Patrick).
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Mon, 20 Apr 2015 20:44:41 +0000 (16:44 -0400)]
Remove expired SAML2 sessions
Run a cherrypy background task to sift through the sessions
database and find expired entries and remove them.
From my testing if a previous execution of the background task
is still executing when the next one is scheduled to run, it will
skip it. In other words, you can't end up with multiple expirations
running at the same time.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Tue, 21 Apr 2015 13:44:04 +0000 (09:44 -0400)]
Update IdP-initiated logout to use SAML2 Store
This moves the order in which the "fake" session is created and
it gives it a unique ID rather than using a fixed value.
Rely on the LogoutRequest request ID so we can get the
order of logout correct.
The basic idea is a logout request is created for the IdP
containing the URL of the IdP itself as the RelayState. A
session is picked and a LogoutRequest generated and sent.
There will be a LogoutRequest/LogoutResponse back and forth
until there are no more sessions to log out. The last
session will be this "fake" session that started it all
and the user will be redirected to the main page of the IdP.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Tue, 21 Apr 2015 13:40:30 +0000 (09:40 -0400)]
Convert logout code to use SAML2 Store
This is functionally the same. The primary differences are:
- When logging out, fetch all requested session indexes in the
LogoutRequest.
- Store the LogoutRequest request ID to be used later when a
LogoutResponse is received to look up the logout.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Tue, 21 Apr 2015 13:38:14 +0000 (09:38 -0400)]
Create a SAML2 session during login
Use the updated session API to create a SAML2 session.
Note that each session is stored discretely. Previously if
a session for a provider already existed then that one session
held all the session indexes. Now if a new session comes in
it is added separately. During logout all sessions for a provider
are retrieved and all logged-in sessions sent to the SP to
log out.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Tue, 21 Apr 2015 13:35:25 +0000 (09:35 -0400)]
Change SAML2 sessions backend to use Store API
The basic session API remains the same, just replace
the calls to pull data out of the user session to
instead pull from the database.
The per-session logout state is now a constant rather than
being a member of either the logged_in or logging_out
dictionaries.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Tue, 21 Apr 2015 13:34:41 +0000 (09:34 -0400)]
Configure the SAML2 session database during installation
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Tue, 21 Apr 2015 13:30:31 +0000 (09:30 -0400)]
Add support for storing SAML2 sessions
Store SAML2 session information in a table rather than with the
user entry so sessions can be persisted past IdP restarts and if
the user accesses the system via multiple browsers SLO will log
out all sessions, not just the user session that initiated the
logout.
https://fedorahosted.org/ipsilon/ticket/90
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Patrick Uiterwijk [Fri, 8 May 2015 16:30:02 +0000 (18:30 +0200)]
Add uninstallation support to infosssd
This should make it revert any changes it made during
installation.
https://fedorahosted.org/ipsilon/ticket/67
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Fri, 8 May 2015 16:12:06 +0000 (18:12 +0200)]
Implement change registration
This will make it possible for plugins to register what they
have changed during installation, so that they can revert
any changes they made during the uninstallation.
https://fedorahosted.org/ipsilon/ticket/67
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Fri, 8 May 2015 14:56:36 +0000 (16:56 +0200)]
Add database schema versioning
With this skeleton code we can add upgrade code
if we ever change the database schema.
https://fedorahosted.org/ipsilon/ticket/56
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
John Dennis [Mon, 26 Jan 2015 21:04:40 +0000 (16:04 -0500)]
Implement ECP in Ipsilon
* add saml2/SSO/SOAP endpoint.
* add check for lasso version, ECP endpoint only exposed in metadata
if lasso has full ECP support.
* add SSO_SOAP soap authentication handler (used for ECP).
* add SAML binding to transaction so we can determine if cookies
and other HTTP concepts are expected. Each handler is responsible
for setting the binding.
* add some constants needed for ECP
https://fedorahosted.org/ipsilon/ticket/4
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Fri, 8 May 2015 02:40:19 +0000 (22:40 -0400)]
Update Copyright header point to COPYING file
Point to a file containing the license rather than including
it in every single source file. This will make it easier to
manage the license in the future without another humongous
commit.
https://fedorahosted.org/ipsilon/ticket/126
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Fri, 8 May 2015 13:46:24 +0000 (09:46 -0400)]
Remove extraneous logging arg in authform login plugin
If you didn't provide credentials at all at the form by
pressing ENTER then a 500 error would be thrown rather
than an authentication error.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Fri, 8 May 2015 13:44:26 +0000 (09:44 -0400)]
Set infosssd config value preconfigured as a boolean
It was storing a python boolean which saved as integer 1
but when reading the data the Condition translates text into
a python native value.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Rob Crittenden [Thu, 7 May 2015 19:51:23 +0000 (15:51 -0400)]
Add db.conn.log option to suppress sql logs by default
The Store logging is quite verbose with a flurry of
init and destroy messages with each session. Setting
db.conn.log to False (default) will suppress these. If one
needs to do connection tracing it can be enabled.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Nathan Kinder [Thu, 7 May 2015 17:59:30 +0000 (10:59 -0700)]
Fix ownership of config and state directories
The recent RPM package restructing introduced some problems with
the ownership of /etc/ipsilon and /var/lib/ipsilon. These were
previously owned by the 'ipsilon' user, but the changes resulted
in the ownership being set as root since the 'ipsilon' user was
not yet created when the directories were installed.
While discussing this problem, it was determined that we should
have the ownership of these directories be root, but allow other
users to traverse through them so they can access subdirectories
that they have permissions on.
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Simo Sorce [Thu, 7 May 2015 16:33:40 +0000 (12:33 -0400)]
pylint 1.4.3 version fixes
Pylint 1.4.3 completely stopped recognizing the star-args condition.
In order to avoid pylint error with > 1.4.3 stop caring for star-args
and add cmdline option to ignore those errors completly so older pylint
versions are happy too.
Also fix type() vs isinstance() checks, isinstance is generally a more
correct approach to check for classes.
In some 'admin' files the type() -> isinstance() fix required to invert
the order in which ComplexList and MappingList are checked as the latter
is a subclass of ComplexList, so it needs to be checked first otherwise
the check for isinstance(option, ComplexList) matches for both and the
code stops functioning properly.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Tue, 5 May 2015 16:37:31 +0000 (12:37 -0400)]
Pull the GSSAPI principal out of the userattrs
This was originally getting the principal from the
user object itself which meant it was looking for
it in the database. Look in the attributes instead
which are stored in the user session.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 5 May 2015 15:27:14 +0000 (11:27 -0400)]
Enable Kerberos NameID testing in testnameid
Since there is now an easy way to stand up a KDC in the
tests go ahead and enable it so the Kerberos NameID can be
tested.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 28 Apr 2015 14:52:55 +0000 (10:52 -0400)]
Configure a KDC, add test for GSSAPI/Kerberos
Using nss_wrappers so we can control host names we can
setup a KDC and test GSSAPI, including fallback to
forms-based auth.
This also means that fetch_page() needs to handle 401
a bit better, so it can re-try a failed authentication or
fall back to forms-based auth.
Note for posterity: if gss_localname() fails this is likely
due to using the wrong krb5.conf in Apache, so pass in all
environment variables.
The KDC setup code was based heavily on the tests in the
gssproxy project.
https://fedorahosted.org/ipsilon/ticket/116
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 21 Apr 2015 22:19:17 +0000 (18:19 -0400)]
Use python logging in install / log cherrypy at right severity
This replaces the print statements in the installer code with
a python logger so we can log all output to the installer log
and a subset of it to stdout in one step without duplication.
The cherrypy.log.error() logs to the "error" log at a severity
of logging.INFO by default. Set an appropriate log level for
these as well.
https://fedorahosted.org/ipsilon/ticket/35
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Wed, 6 May 2015 15:35:50 +0000 (11:35 -0400)]
Remove unnecessary lines from infoldap plugin
These three lines were ostensibly storing various elements
of configuration but were in fact creating a new dict
each time, wiping out all previous elements.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Wed, 6 May 2015 15:47:46 +0000 (11:47 -0400)]
SSSD info plugin is immutable if not preconfigured
The SSSD info plugin configures SSSD and modules in
Apache as root during installation. This cannot be
done in the UI so we must not allow users to modify
the state if it was not "preconfigured" during
install.
If it has been configured then users are allowed
to enable/disable the plugin.
This is controlled by a value stored in the
info_config table, preconfigured.
The plugin configuration is hidden from the UI by
overridding the get_config_object() method.
https://fedorahosted.org/ipsilon/ticket/111
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Wed, 29 Apr 2015 17:57:34 +0000 (13:57 -0400)]
Drop usage of self._debug and use self.debug instead
This method was deprecated but still used in a lot of places.
https://fedorahosted.org/ipsilon/ticket/120
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Wed, 29 Apr 2015 18:13:25 +0000 (14:13 -0400)]
Fix lint issues with loginstack changes
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Tue, 31 Mar 2015 20:35:15 +0000 (16:35 -0400)]
Merge the login and info plugins configurations
Having separate login and info plugins configuration pages doesn't
really make a lot of sense. As a first step moving towards login stacks
put login and info plugin configuration into a common "Login Stack"
menu item.
https://fedorahosted.org/ipsilon/ticket/117
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Tue, 28 Apr 2015 19:16:54 +0000 (15:16 -0400)]
Change references to authkrb plugin to authgssapi
With the switch to mod_auth_gssapi we aren't limited to only
negotiated Kerberos so name the plugin to reflect this.
https://fedorahosted.org/ipsilon/ticket/114
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Tue, 28 Apr 2015 19:15:39 +0000 (15:15 -0400)]
Rename authkrb plugin to authgssapi
https://fedorahosted.org/ipsilon/ticket/114
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Tue, 28 Apr 2015 18:26:40 +0000 (20:26 +0200)]
Insert a small timeout before reporting the test successful
This is so the OS gets enough time to clean up all
of the sockets used during the execution of the test.
Without this, sometimes a "port already in use" error
will fail the next test.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Tue, 28 Apr 2015 19:02:12 +0000 (21:02 +0200)]
Allow scheme to be visible again in admin page
Without this, the browser will refuse to load the scheme.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Tue, 28 Apr 2015 17:11:12 +0000 (19:11 +0200)]
Add OpenID test suite
This tests core OpenID and the Attribute Exchange,
Simple Registration and Teams extensions.
Using a small wsgi tool because mod_auth_openid does
not support all extensions.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Mon, 27 Apr 2015 20:22:05 +0000 (22:22 +0200)]
Fix OpenID AX extension bug
This makes sure that _display returns a dict, and that
the result from _resp can still be passed to addExtension
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Tue, 21 Apr 2015 14:00:31 +0000 (10:00 -0400)]
Fix Apache configuration to use correct location of ipsilon
When I moved the ipsilon command from /usr/sbin to /usr/libexec
I missed updating the Apache configuration.
https://fedorahosted.org/ipsilon/ticket/119
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Simo Sorce [Mon, 27 Apr 2015 16:46:39 +0000 (12:46 -0400)]
Make availble a list of alternative aut methods
In the form case there is no way to automatically fallback to
other auth methods or even repeat transparent methods.
Add a simple list of alternative auth methods under the description
box so that the user can easily switch back and forth between them
if desired.
Fixes: https://fedorahosted.org/ipsilon/ticket/96
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Wed, 22 Apr 2015 21:29:25 +0000 (17:29 -0400)]
Populate krb_principal_name from GSS_NAME env var
mod_auth_gssapi provides by default the local name in
REMOTE_USER and the full principal in GSS_NAME. Grab a
copy of that principal for krb_principal_name.
https://fedorahosted.org/ipsilon/ticket/115
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Thu, 23 Apr 2015 20:42:27 +0000 (16:42 -0400)]
Disallow iframes via X-Frame-Options and CSP by default
A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.
The Persona plugin relies on iframes and uses this decorator
for all endpoints.
https://fedorahosted.org/ipsilon/ticket/15
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Patrick Uiterwijk [Thu, 23 Apr 2015 21:25:04 +0000 (23:25 +0200)]
Use the new transaction convenience function in Persona
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Simo Sorce [Fri, 17 Apr 2015 20:05:40 +0000 (16:05 -0400)]
Fix sticter lint checks
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Tue, 14 Apr 2015 15:49:00 +0000 (11:49 -0400)]
Use mod_auth_gssapi instead of mod_auth_kerb
Change configuration on new installs only.
Enable GssapiLocalName so we have access to the local name in
REMOTE_USER and the full principle in GSS_NAME.
Enable GssapiSSLonly even though SSLRequireSSL is also set.
The belt and suspenders principla.
https://fedorahosted.org/ipsilon/ticket/89
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 14 Apr 2015 19:43:34 +0000 (15:43 -0400)]
Move ipsilon WSGI script from /usr/sbin to /usr/libexec
This command is not intended to be executed by end-users.
https://fedorahosted.org/ipsilon/ticket/76
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Patrick Uiterwijk [Wed, 15 Apr 2015 14:38:30 +0000 (16:38 +0200)]
Release v0.6.0
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Tue, 14 Apr 2015 11:00:25 +0000 (13:00 +0200)]
Close database sesssions
This will close any opened database sessions at the end
of the request.
https://fedorahosted.org/ipsilon/ticket/110
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Thu, 9 Apr 2015 23:20:03 +0000 (19:20 -0400)]
Better error handling for login mgrs in server install/uninstall
The purpose is to catch it when either no modules are enabled or if
you try to set the login module order and one of them is not
available/installed, then fail gracefully.
There were some baked-in assumptions that all login providers
are installed. Add some error handling around trying to determine
what is available, and rather than trying to force pam to be enabled
just exit with a handy message.
Don't rely on lm_order during uninstall. Use the list of enabled
Login managers instead.
Bail out of argument checking if uninstall is requested.
https://fedorahosted.org/ipsilon/ticket/105
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Patrick Uiterwijk [Mon, 13 Apr 2015 13:26:48 +0000 (15:26 +0200)]
Fix bootstrap tooltip error
This was caused by running the tooltip() function against
the document object, while it should be ran against the
objects that use a tooltip.
This new method is the suggested way to enable tooltips
per http://getbootstrap.com/javascript/#tooltips-examples.
https://fedorahosted.org/ipsilon/ticket/98
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Thu, 9 Apr 2015 19:11:39 +0000 (15:11 -0400)]
Add test for per-SP allowed and mapping attributes
This buidls up a specific global mapping and allowed attributes then
creates an SP-specific configuration which differs enough to confirm
that it is in fact overriding the default. It finishes by removing the
per-SP configuration and ensuring that it falls back to the IdP-default.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Thu, 9 Apr 2015 18:59:41 +0000 (14:59 -0400)]
Make the authtest login plugin provide more info
Provide more variables to test for in allow attribute and mapping
testing.
Adds givenname (Test User), surname (the username) and
email (username@example.com).
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Wed, 8 Apr 2015 20:13:55 +0000 (16:13 -0400)]
The last allowed/mapping rule can be removed in SPs
If you created rule(s) in an SP for either allowed attributes or
attribute mapping there was no way to remove the last rule meaning
it could never go back to use the global defaults.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 7 Apr 2015 19:05:59 +0000 (15:05 -0400)]
SAML SP template page is no longer needed
The page is built up using the option_config.html template now.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 7 Apr 2015 19:34:43 +0000 (15:34 -0400)]
Add per-SP attribute mapping and allowed attributes
The per-SP values are considered overrides and the global values
are default.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Wed, 8 Apr 2015 13:44:14 +0000 (09:44 -0400)]
Rename and move PluginConfig to ConfigHelper
The configuration class was originally intended to be tied. At this
point it is quite generic and useful outside of plugins. Rename
it to something more generic and move it into the config module.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 7 Apr 2015 19:33:32 +0000 (15:33 -0400)]
Convert SAML2 SP Provider UI to use Config object
This makes the look-and-feel the same between the SAML2 configuration
and the per-SP configuration.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 7 Apr 2015 19:27:51 +0000 (15:27 -0400)]
Move mapping and complex list helpers out of class
This is so other classes which are not an AdminPage can also have
access to these helpers.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Tue, 7 Apr 2015 19:07:17 +0000 (15:07 -0400)]
Rename plugin_config template to option_config
Give the configuration template, which maps Config objects into
HTML, a more generic name.
Along with the rename this also drops the user.is_admin check so
a user can manage their SP data.
The backend still enforces writing.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Simo Sorce [Mon, 6 Apr 2015 19:19:22 +0000 (15:19 -0400)]
Use disabled template for mappings and lists
This way lists and mappings can be empty and still allow cloning
of the last row which is always disabled and hidden.
The javascript now clones the last row then fixes the indexes in the
new cloned row, and re-enables and un-hides the previous last which
becomes a new empty row.
https://fedorahosted.org/ipsilon/ticket/25
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Tue, 31 Mar 2015 18:23:49 +0000 (14:23 -0400)]
Print exceptions when saving data fails in admin UI
There were places where a broad exception was caught when saving
administrative changes but the actual exception wasn't logged. The
user was presented only with a 'Failed to save data!' message.
https://fedorahosted.org/ipsilon/ticket/39
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Patrick Uiterwijk [Mon, 16 Mar 2015 14:54:53 +0000 (15:54 +0100)]
Rework package setup
This way you can install saml2 client without ipsilon-base.
Also, -base is the server itself, ipsilon will give you the
installer with it.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Fri, 10 Apr 2015 00:47:29 +0000 (02:47 +0200)]
This was renamed to _groups internally
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Thu, 9 Apr 2015 23:20:25 +0000 (19:20 -0400)]
If sys.exit is called or SystemExit raised, don't display success
If sys.exit is called, which raises SystemExit, the finally at the
end of the installer was treating it as a successful install and
displaying messages to the user. Catch this exception and mark
the install as failed to prevent this.
https://fedorahosted.org/ipsilon/ticket/66
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Tue, 3 Mar 2015 04:02:03 +0000 (23:02 -0500)]
Rename nss info plugin to match format of info+name
This also eliminates a namespace collision with python-nss
https://fedorahosted.org/ipsilon/ticket/104
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Patrick Uiterwijk [Mon, 6 Apr 2015 10:10:27 +0000 (12:10 +0200)]
Check if test deps are installed
https://fedorahosted.org/ipsilon/ticket/91
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Nathan Kinder [Tue, 7 Apr 2015 18:53:52 +0000 (11:53 -0700)]
Extend default SAML IdP metadata validity period
Our current default IdP metadata validity period is hardcoded to 30
days. This is very limiting for anything other than a test environment
unless there is a way to allow SPs to automatically fetch updated metadata
on a regular interval.
This patch increases the default validity period to 5 years. In addition,
a new option for ipsilon-server-install is provided to allow a different
validity period to be specified.
https://fedorahosted.org/ipsilon/ticket/103
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Nathan Kinder [Mon, 6 Apr 2015 16:35:03 +0000 (09:35 -0700)]
Suppress --config-profile option from installer script help output
The --config-profile option for the ipsilon-server-install and
ipsilon-client-install commands is designed to be used by the
in-tree functional tests. It is not meant to be used by users,
but we are advertising the option in the help output. This patch
suppresses the option from the help output.
https://fedorahosted.org/ipsilon/ticket/37
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Nathan Kinder [Fri, 3 Apr 2015 02:32:11 +0000 (19:32 -0700)]
Add document on web app integration for SAML
This adds documentation on recommended practices for integrating
web applications with Ipsilon for SAML SSO.
https://fedorahosted.org/ipsilon/ticket/43
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Nathan Kinder [Thu, 2 Apr 2015 00:36:22 +0000 (17:36 -0700)]
Validate SP names for admin pages and REST
We were previously only validating the SP name in the admin pages
for SP creation and update. The REST API would allow a SP to be
created with an invalid name, which would break the ability to
manage that SP in the admin pages.
This patch moves the SP name validation logic out of the admin
page code and centralizes it in the provider creation code. This
ensures that validation will occur regardless of the interface
that is used. In addition, a helper method is added to allow
the admin page to check if a name is valid during update operations.
https://fedorahosted.org/ipsilon/ticket/102
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Nathan Kinder [Tue, 31 Mar 2015 02:36:04 +0000 (19:36 -0700)]
Allow SP registration from ipsilon-client-install
This optionally allows a SAML SP to be registered with the IDP when
running ipsilon-client-install. To register an SP, the following
options are used:
--saml-idp-url (Ipsilon IDP URL)
--saml-sp-name (Name to register the SP as)
--admin-user (Ipsilon admin user)
--admin-password (Ipsilon admin password file)
If the --saml-idp-url option is set, we attempt to register the SP.
The --saml-sp-name option is required if you are registering a SP.
The --admin-user already defaults to admin, so it only needs to be
specified if your admin user has a different username. If the
--admin-password option is not specified, we prompt for the password.
The --saml-idp-metadata was previously required, but this option is
redundant if the new --saml-idp-url option is specified and you are
not using a local copy of the IDP metadata. You can now just use
the --saml-idp-url option, and we build the metadata URL from it.
This helps to minimize the number of required options when you are
registering an SP during installation.
https://fedorahosted.org/ipsilon/ticket/101
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Mon, 30 Mar 2015 15:42:10 +0000 (11:42 -0400)]
IdP-initiated logout for current user
Perform Single Logout for the current user when a logout is initiated
in the IdP.
A fake initial session is created. In the current logout code the
initial logout requestor holds the final redirect URL. In this case
it redirects back to the root IdP page.
https://fedorahosted.org/ipsilon/ticket/87
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Nathan Kinder [Tue, 31 Mar 2015 04:21:31 +0000 (21:21 -0700)]
SP uninstall attempts to run install
When running 'ipsilon-client-install --uninstall' to uninstall a SP,
we call the install routine again after completing the uninstallation.
This leads to confusing error messages about missing required options.
This patch corrects the uninstallation logic.
https://fedorahosted.org/ipsilon/ticket/100
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Mon, 30 Mar 2015 20:19:48 +0000 (22:19 +0200)]
Release v0.5.0
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Mon, 30 Mar 2015 14:38:10 +0000 (16:38 +0200)]
Add options to explicitly set database uris during install
Also offer the option to set the OpenID database URI during install
https://fedorahosted.org/ipsilon/ticket/17
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Thu, 26 Mar 2015 19:36:02 +0000 (15:36 -0400)]
Use all SSSD domains for info plugin by default.
Rather than requiring --info-sssd-domain as an argument make it
an optional argument, defaulting to enabling all SSSD domains.
Convert the argument from a single value into a list so that multiple
invocations can be made and all domains in the list will be enabled.
There is still the possibility that failures in configuring a domain
will occur (no domain found, for example) and these are considered
"soft" failures. That is it won't abort the server installation.
https://fedorahosted.org/ipsilon/ticket/78
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Thu, 26 Mar 2015 18:55:27 +0000 (14:55 -0400)]
Add a method to Installer classes to validate argument input
There was no way to validate argument input from plugins and
cause the installer to bail out. If a plugin needs to validate
some input it can use the validate_args() method and raise
ConfigurationError() if an issue is found.
https://fedorahosted.org/ipsilon/ticket/78
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Wed, 25 Mar 2015 21:29:22 +0000 (17:29 -0400)]
Try to return a redirect instead a 400 for "not logged in" state
If the user is not logged in and submits a valid logout request
then just redirect the user to the RelayState in the request
indicating that the logout was successful. This provides a better
user experience.
https://fedorahosted.org/ipsilon/ticket/88
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Thu, 19 Mar 2015 19:20:28 +0000 (15:20 -0400)]
Add tests for Name ID functionality
Some Name ID formats are not implemented so are expected to fail.
Kerberos is implemented but the test is done using form authentication
so no Kerberos principal is available so authentication is denied.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Mon, 23 Mar 2015 21:25:55 +0000 (17:25 -0400)]
Make unspecified the default Name ID format, add to enabled list
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Thu, 19 Mar 2015 19:19:24 +0000 (15:19 -0400)]
Allow user to specify Name ID format when configuring SP.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Mon, 23 Mar 2015 17:57:12 +0000 (13:57 -0400)]
Implement urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Return the name the user authenticated with.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Thu, 19 Mar 2015 19:15:26 +0000 (15:15 -0400)]
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
This also makes persistent the default NameID format when generating
metadata.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Wed, 18 Mar 2015 14:16:38 +0000 (10:16 -0400)]
Implement urn:oasis:names:tc:SAML:2.0:nameid-format:transient
NameQualifier and SPNameQualifier are optional and are not included.
https://fedorahosted.org/ipsilon/ticket/27
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Rob Crittenden [Thu, 26 Feb 2015 20:25:07 +0000 (15:25 -0500)]
When a new logout session is received, save old session ids
When a new login session is received and an existing session
exists in logout, save the old session IDs.
These will be included in the sessions to logout of the SP.
This will ensure that if the user clears their cookie cache,
for example, that any previous sessions will also be logged
out.
https://fedorahosted.org/ipsilon/ticket/64
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Simo Sorce [Wed, 18 Mar 2015 00:25:18 +0000 (20:25 -0400)]
Add LDAP test
This finally tests the LDAP login/info plugins as well as the special
"groups" attribute.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Simo Sorce [Wed, 18 Mar 2015 00:22:25 +0000 (20:22 -0400)]
Fix fetching infoldap plugin groups
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
John Dennis [Mon, 26 Jan 2015 22:11:03 +0000 (17:11 -0500)]
set SELinux boolean httpd_can_connect_ldap when install infolap and authldap
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Rob Crittenden [Mon, 16 Mar 2015 20:31:55 +0000 (16:31 -0400)]
Set Cache-control on all generated pages, centralize in Endpoint
See "Bindings for the OASIS Security Assertion Markup Language (SAML)
V2.0" section 3.2.3.2.
https://fedorahosted.org/ipsilon/ticket/7
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
John Dennis [Wed, 18 Mar 2015 21:14:07 +0000 (17:14 -0400)]
Assertion AttributeStatements must be non-empty
The saml-core-2.0-os specification section 2.7.3 requires
the AttributeStatement element to be non-empty. Shibboleth verifies
this and rejects assertions that do not comply. We gather attributes
into a local dict first before adding them to the AttributeStatement
so the fix is easy. Test if the dict is empty, move the initialization
of the assertion AttributeStatement inside the test so it's
conditional on whether the dict has members.
https://fedorahosted.org/ipsilon/ticket/61
Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Nathan Kinder [Sat, 14 Mar 2015 17:00:51 +0000 (10:00 -0700)]
Allow SP installation to be on non-standard ports
When setting up a SP using ipsilon-client-install, there is no
ability to use a non-standard port. We should allow a port number
to be specified that results in the proper URLs in the SP metadata.
This patch adds a --port option to ipsilon-client-install. This is
used in the construction of the URLs used in the SP metadata as well
as in the httpd redirect rules if httpd is being configured.
https://fedorahosted.org/ipsilon/ticket/92
Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Simo Sorce [Tue, 17 Mar 2015 17:22:06 +0000 (13:22 -0400)]
Properly handle groups info in SAML provider
Also removes internal attributes (any attribute that starts with _
Fixes: https://fedorahosted.org/ipsilon/ticket/71
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Simo Sorce [Wed, 18 Mar 2015 00:18:21 +0000 (20:18 -0400)]
Add negative authentication test
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Simo Sorce [Tue, 17 Mar 2015 23:01:59 +0000 (19:01 -0400)]
Fix error returned from login plugins
Some login plugins use form based authentication and let the user retry
on authentication errors. This is fine, however the wrong error code is
returned in this case, 401 should be returned.
Fixes: https://fedorahosted.org/ipsilon/ticket/94
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Patrick Uiterwijk [Mon, 16 Mar 2015 14:07:41 +0000 (15:07 +0100)]
Make SSSD Info enable the httpd_dbus_sssd boolean.
https://fedorahosted.org/ipsilon/ticket/23#comment:13
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Patrick Uiterwijk [Mon, 16 Mar 2015 14:16:03 +0000 (15:16 +0100)]
Build dated RPMs by default
This stores the build date and git commit in the version.
This way, it's a lot easier to determine when it was last built.
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Rob Crittenden [Mon, 16 Mar 2015 18:34:24 +0000 (14:34 -0400)]
Save user attributes on subsequent calls to login.
When a login comes in via the remote_login() call no
user attributes are set. These may be later filled in by
a subsequent call to login() after the info plugins are
called but a short-circuit in that function exits if the
user matches the current session.
Add an extra conditional such that if the user matches,
userattributes are passed in and the current user attributes
for this user is empty then save the new data.
https://fedorahosted.org/ipsilon/ticket/86
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
Rob Crittenden [Fri, 13 Mar 2015 18:56:26 +0000 (14:56 -0400)]
Use the IPA API directly when adding the HTTP principal
This is the only way to force in a custom version string
so that the remote IPA server doesn't reject the request
as being newer than the server.
This also removes the need to iterate over all servers
as the IPA connection API does this automatically.
https://fedorahosted.org/ipsilon/ticket/47
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Nathan Kinder <nkinder@redhat.com>
projects / cascardo / ipsilon.git / log