Exemple #1
0
    def configure(self, opts, changes):
        if opts['saml2'] != 'yes':
            return

        # Check storage path is present or create it
        path = os.path.join(opts['data_dir'], 'saml2')
        if not os.path.exists(path):
            os.makedirs(path, 0o700)

        # Use the same cert for signing and ecnryption for now
        cert = Certificate(path)
        cert.generate('idp', opts['hostname'])

        # Generate Idp Metadata
        proto = 'https'
        if opts['secure'].lower() == 'no':
            proto = 'http'
        url = '%s://%s%s' % (proto, opts['hostname'], opts['instanceurl'])
        validity = int(opts['saml2_metadata_validity'])
        meta = IdpMetadataGenerator(url, cert, timedelta(validity))
        if 'gssapi' in opts and opts['gssapi'] == 'yes':
            meta.meta.add_allowed_name_format(
                lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)

        meta.output(os.path.join(path, 'metadata.xml'))

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'saml2'
        po.wipe_data()
        po.wipe_config_values()
        config = {
            'idp storage path': path,
            'idp metadata file': 'metadata.xml',
            'idp certificate file': cert.cert,
            'idp key file': cert.key,
            'idp nameid salt': uuid.uuid4().hex,
            'idp metadata validity': opts['saml2_metadata_validity'],
            'session database url': opts['saml2_session_dburl']
            or opts['database_url'] % {
                'datadir': opts['data_dir'],
                'dbname': 'saml2.sessions.db'
            }
        }
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # Fixup permissions so only the ipsilon user can read these files
        files.fix_user_dirs(path, opts['system_user'])
Exemple #2
0
    def configure(self, opts, changes):
        if opts['saml2'] != 'yes':
            return

        # Check storage path is present or create it
        path = os.path.join(opts['data_dir'], 'saml2')
        if not os.path.exists(path):
            os.makedirs(path, 0700)

        # Use the same cert for signing and ecnryption for now
        cert = Certificate(path)
        cert.generate('idp', opts['hostname'])

        # Generate Idp Metadata
        proto = 'https'
        if opts['secure'].lower() == 'no':
            proto = 'http'
        url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
        validity = int(opts['saml2_metadata_validity'])
        meta = IdpMetadataGenerator(url, cert,
                                    timedelta(validity))
        if 'gssapi' in opts and opts['gssapi'] == 'yes':
            meta.meta.add_allowed_name_format(
                lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)

        meta.output(os.path.join(path, 'metadata.xml'))

        # Add configuration data to database
        po = PluginObject(*self.pargs)
        po.name = 'saml2'
        po.wipe_data()
        po.wipe_config_values()
        config = {'idp storage path': path,
                  'idp metadata file': 'metadata.xml',
                  'idp certificate file': cert.cert,
                  'idp key file': cert.key,
                  'idp nameid salt': uuid.uuid4().hex,
                  'idp metadata validity': opts['saml2_metadata_validity'],
                  'session database url': opts['saml2_session_dburl'] or
                  opts['database_url'] % {
                      'datadir': opts['data_dir'],
                      'dbname': 'saml2.sessions.db'}}
        po.save_plugin_config(config)

        # Update global config to add login plugin
        po.is_enabled = True
        po.save_enabled_state()

        # Fixup permissions so only the ipsilon user can read these files
        files.fix_user_dirs(path, opts['system_user'])
Exemple #3
0
def init(workdir):
    # Initialize SAML2, since this is quite tricky to get right
    cert = Certificate(os.path.join(workdir, 'saml2'))
    cert.generate('certificate', 'ipsilon-quickrun')
    url = 'http://localhost:8080/'
    validity = 365 * 5
    meta = IdpMetadataGenerator(url, cert, timedelta(validity))
    meta.output(os.path.join(workdir, 'saml2', 'metadata.xml'))

    # Also initalize OpenID Connect
    keyfile = os.path.join(workdir, 'openidc.key')
    keyset = JWKSet()
    # We generate one RSA2048 signing key
    rsasig = JWK(generate='RSA', size=2048, use='sig', kid='quickstart')
    keyset.add(rsasig)
    with open(keyfile, 'w') as m:
        m.write(keyset.export())
Exemple #4
0
def init(workdir):
    # Initialize SAML2, since this is quite tricky to get right
    cert = Certificate(os.path.join(workdir, 'saml2'))
    cert.generate('certificate', 'ipsilon-quickrun')
    url = 'http://localhost:8080/idp'
    validity = 365 * 5
    meta = IdpMetadataGenerator(url, cert,
                                timedelta(validity))
    meta.output(os.path.join(workdir, 'saml2', 'metadata.xml'))

    # Also initalize OpenID Connect
    keyfile = os.path.join(workdir, 'openidc.key')
    keyset = JWKSet()
    # We generate one RSA2048 signing key
    rsasig = JWK(generate='RSA', size=2048, use='sig', kid='quickstart')
    keyset.add(rsasig)
    with open(keyfile, 'w') as m:
	m.write(keyset.export())
Exemple #5
0
    def _get_metadata(self):
        if os.path.isfile(self.cfg.idp_metadata_file):
            s = os.stat(self.cfg.idp_metadata_file)
            if s.st_mtime > time.time() - METADATA_RENEW_INTERVAL:
                with open(self.cfg.idp_metadata_file) as m:
                    return m.read()

        # Otherwise generate and save
        idp_cert = Certificate()
        idp_cert.import_cert(self.cfg.idp_certificate_file,
                             self.cfg.idp_key_file)

        validity = int(self.cfg.idp_metadata_validity)
        meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
                                    timedelta(validity))
        body = meta.output()
        with open(self.cfg.idp_metadata_file, 'w+') as m:
            m.write(body)
        return body
Exemple #6
0
    def _get_metadata(self):
        if os.path.isfile(self.cfg.idp_metadata_file):
            s = os.stat(self.cfg.idp_metadata_file)
            if s.st_mtime > time.time() - METADATA_RENEW_INTERVAL:
                with open(self.cfg.idp_metadata_file) as m:
                    return m.read()

        # Otherwise generate and save
        idp_cert = Certificate()
        idp_cert.import_cert(self.cfg.idp_certificate_file,
                             self.cfg.idp_key_file)

        validity = int(self.cfg.idp_metadata_validity)
        meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
                                    timedelta(validity))
        body = meta.output()
        with open(self.cfg.idp_metadata_file, 'w+') as m:
            m.write(body)
        return body
            return data
        else:
            with open(path, 'w') as f:
                f.write(data)


if __name__ == '__main__':
    import tempfile
    import shutil
    import os

    tmpdir = tempfile.mkdtemp()

    try:
        # Test IDP generation
        sign_cert = Certificate(tmpdir)
        sign_cert.generate('idp-signing-cert', 'idp.ipsilon.example.com')
        enc_cert = Certificate(tmpdir)
        enc_cert.generate('idp-encryption-cert', 'idp.ipsilon.example.com')
        idp = Metadata()
        idp.set_entity_id('https://ipsilon.example.com/idp/metadata')
        idp.set_role(IDP_ROLE)
        idp.add_certs(sign_cert, enc_cert)
        idp.add_service(SAML2_SERVICE_MAP['sso-post'],
                        'https://ipsilon.example.com/idp/saml2/POST')
        idp.add_service(SAML2_SERVICE_MAP['sso-redirect'],
                        'https://ipsilon.example.com/idp/saml2/Redirect')
        for k in SAML2_NAMEID_MAP:
            idp.add_allowed_name_format(SAML2_NAMEID_MAP[k])
        md_file = os.path.join(tmpdir, 'metadata.xml')
        idp.output(md_file)
            return data
        else:
            with open(path, 'w') as f:
                f.write(data)


if __name__ == '__main__':
    import tempfile
    import shutil
    import os

    tmpdir = tempfile.mkdtemp()

    try:
        # Test IDP generation
        sign_cert = Certificate(tmpdir)
        sign_cert.generate('idp-signing-cert', 'idp.ipsilon.example.com')
        enc_cert = Certificate(tmpdir)
        enc_cert.generate('idp-encryption-cert', 'idp.ipsilon.example.com')
        idp = Metadata()
        idp.set_entity_id('https://ipsilon.example.com/idp/metadata')
        idp.set_role(IDP_ROLE)
        idp.add_certs(sign_cert, enc_cert)
        idp.add_service(SAML2_SERVICE_MAP['sso-post'],
                        'https://ipsilon.example.com/idp/saml2/POST')
        idp.add_service(SAML2_SERVICE_MAP['sso-redirect'],
                        'https://ipsilon.example.com/idp/saml2/Redirect')
        for k in SAML2_NAMEID_MAP:
            idp.add_allowed_name_format(SAML2_NAMEID_MAP[k])
        md_file = os.path.join(tmpdir, 'metadata.xml')
        idp.output(md_file)